All the servers in our environment are configured with TLS 1.2. In UIM, after upgrading all the probe to the latest version (that supports TLS 1.2 ciphers) and making changes to hub->advanced settings->SSL->Compatibility Mode->cipher type: AES128-SHA256. Restart the hub probe. Does this solution work? Are @there any other changes has to be made?
Chris_Armstrong I have seen your post. Did you try to add SSL v3 as a fallback? Is that mandatory to add? Our compliance team doesn't want to have encryption happening over SSL. Any assistance would be highly appreciated.
The short answer, no, cipher suite "AES128-SHA256" does not work, because it requires OpenSSL libraries 1.0.1 or higher.
To answer your other questions, yes, I did use SSLv3 as a fallback, and yes, if you add in the cipher AES128-SHA256, which is TLS 1.2 compliant...you will have to add in the SSLv3 for the fallback, or it will not work. So basically, there is no need to add AES128-SHA256. Just put in the SSLv3 cipher.
So instead of this: AES128-SHA256:RC4-SHAJust use this: RC4-SHA
The reason being is because the system probes (i.e. ntservices, ntevl, cdm, etc), as of today (4.10.2018), only support OpenSSL 1.0.0m (This can be confirmed in the release notes of each probe). CA will need to implement at least OpenSSL 1.0.1 libraries in to their probes, before we (the customer) can begin encrypting our internal probe communications over TLS 1.2.
The CA Support engineer I spoke with stated that there currently is no talk of dev implementing these libraries into their probes. In order for them (CA dev) to move this up the priority list, we will need to submit an Idea, and then hope that enough people back it.
Do note that the hub probe does support the appropriate OpenSSL libraries for TLS 1.2 encryption. So if you create a tunnel from client side hub to server side hub, you can encrypt that traffic in TLS 1.2.
The following IDEA has been created: Update All Probes to use OpenSSL 1.0.2 Libraries for TLS1.2 Support