HI All,
We are facing some vulnerability issue on our relay servers where the scanner tool is showing SSL vulnerabilities on port 52311 on relay servers.
Can we enable the TLS settings on the Relay servers and also update the certificates?
I am bit confused because the bigfix settings mentioned below we can apply it on the relay servers too.
_BESRelay_HTTPServer_SSLCertificateFilePath
_BESRelay_HTTPServer_SSLPrivateKeyFilePath
_BESRelay_HTTPServer_RequireTLS12
And also there is one other link in wiki security section that says we cannot change the certificate for relays and clients.
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en#!/wiki/BigFix%20Wiki/page/Security%20Overview
In this link it is clearly mentioned that relay and client certifcates we cannot change and the vulnerability tool also mark the bigfix relay certificates as vulnerble but they are not easy to spoofed.
Now if we are not able to change the certificates for the relay servers then why we have the settings available for relay servers?
And if the information mentioned is wiki link is correct then should we bypass the vulnerabilites that are showing up for our relay servers (because of the self signed SSL certificates) and consider the certificates used by bigfix as secure one?