TLS 1.2 and secure certificates on relay servers

Akshay19 · August 24, 2023, 5:57pm

HI All,
We are facing some vulnerability issue on our relay servers where the scanner tool is showing SSL vulnerabilities on port 52311 on relay servers.

Can we enable the TLS settings on the Relay servers and also update the certificates?

I am bit confused because the bigfix settings mentioned below we can apply it on the relay servers too.
_BESRelay_HTTPServer_SSLCertificateFilePath
_BESRelay_HTTPServer_SSLPrivateKeyFilePath
_BESRelay_HTTPServer_RequireTLS12

And also there is one other link in wiki security section that says we cannot change the certificate for relays and clients.
https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en#!/wiki/BigFix%20Wiki/page/Security%20Overview

In this link it is clearly mentioned that relay and client certifcates we cannot change and the vulnerability tool also mark the bigfix relay certificates as vulnerble but they are not easy to spoofed.

Now if we are not able to change the certificates for the relay servers then why we have the settings available for relay servers?

And if the information mentioned is wiki link is correct then should we bypass the vulnerabilites that are showing up for our relay servers (because of the self signed SSL certificates) and consider the certificates used by bigfix as secure one?

orbiton · August 25, 2023, 2:31am

Please look into the following documentation - https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Installation/c_security_settings.html

Also make note of the following - Temporary Recommendation: BigFix Administration Tool Setting

Akshay19 · August 25, 2023, 9:45am

hi, The Links that you have shared are talking about the enhanced security and in my infra enahnced security is already enabled and still the relay servers are showing vulnerable for self signed certificates.

Cann you please explain how this help us?

RhondaSTK_HCL · August 25, 2023, 9:49pm

This is a helpful article on BigFix Product Security and speaks directly vulnerability scanners detection of self-signed certificates issue in the Certificates Life Cycle section.

https://bigfix-wiki.hcltechsw.com/wikis/home?lang=en-us#!/wiki/BigFix%20Wiki/page/Security%20Overview

If you need additional assistance following this review, please reach out to your Technical Advisor for additional assistance or send me a direct message and I’ll be glad to help get you to the right person.

DanieleColi · August 28, 2023, 8:53am

We also have a Knowledge Base article, where we explain we use self-signed certificates for internal communications and the security alert should be marked as false positive: https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0022559