Hi all,
We need to turn on TLS 1.2 in the admin tool, but I am nervous this will break communication with my current clients. Does anyone have experience turning this on in an environment that is active. Do the clients automatically re-register with the root server. Are there any gotchas or things to look out for on this? Is there any available documentation that covers this? I have not been able to find any.
Clients are already using TLS 1.0 or higher to do the communication, but to use TLS 1.2 you need to have a new enough OpenSSL inside the client. This is present in the 9.1 version or later (which is also when we enabled the TLS 1.2 feature) so as long as all your clients are 9.1 or later you will not lose communication. There may be an intermittent time when the clients will need to switch so you would want to allow time for the clients to perform a relay select as well.
Also make sure ALL your relays are at least 9.1 (they should always be the same version as the root server anyway)
Thanks Alan. That is great to have this confirmed.
Just be aware that the answer is within the BigFix infrastructure. When communicating to other servers outside of the BigFix infrastructure we can’t guarantee what they support. We will try and negotiate at a secure level with known “broken” methods removed but it is up to the server side what is negotiated there.
Just wanted to update on this thread for future users. I switched it on with absolutely no problems at all.