Hi,
I am trying to harden the communication from Probes to Robot to Hub, within a clients environment, to only allow communication to take place via TLS1.2.
Here is what I have done thus far:
-Turned on FIPS encryption > installed probes > then rebooted server
-Within the 2012 R2 Server, TLS1.2 encryption is enabled
-Downloaded versions of probes that support AES encryption (ntevl 4.30, processes 4.60, ntservices 3.40)
-I checked the Hub.cfg and Robot.cfg to make sure they have the same cipher specified and mode, and they do
-In the Hub server > Settings > SSL tab: Compatibility Mode is selected and the cipher type I am trying to use is: AES128-SHA256.
I found this note within the Hub IM Config notes which explains why the aforementioned cipher does note work:
- To use TLS cipher suites for hub-to-robot SSL settings, specify a cipher suite that resolves to both TLS and SSLv3.
When I use AES128-SHA256:RC4-SHA, everything works fine because it is failing back to RC4-SHA (but this is SSLv3 and we need to be able to use TLS1.2). To confirm this, I set the loglevel to 5...here is the log entry:
Mar 23 08:20:01:076 [2500] ntevl: SSL - negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
What is confusing me is that the documentation states that the probes do support AES encryption, and the 7.80 hub release notes state:
Added support for OpenSSL TLS cipher suites
When using TLS 1.1 or 1.2 cipher suites, include an alternative fallback to SSLv3. Fallback ensures backward compatibility between older robots and a new hub, or probes that connect to a robot using SSL. For example, AES128-SHA256:RC4-SHA, where AES128-SHA256 is TLS v1.2 and RC4-SHA is SSLv3.0
Any assistance on this would be greatly appreciated.
Thanks,
Chris A.