DX Unified Infrastructure Management

 View Only
  • 1.  Probe > Robot > Hub Traffic - AES Encryption

    Posted Mar 26, 2018 09:58 AM



    I am trying to harden the communication from Probes to Robot to Hub, within a clients environment, to only allow communication to take place via TLS1.2.


    Here is what I have done thus far:


    -Turned on FIPS encryption > installed probes > then rebooted server

    -Within the 2012 R2 Server, TLS1.2 encryption is enabled

    -Downloaded versions of probes that support AES encryption (ntevl 4.30, processes 4.60, ntservices 3.40)

    -I checked the Hub.cfg and Robot.cfg to make sure they have the same cipher specified and mode, and they do

    -In the Hub server > Settings > SSL tab: Compatibility Mode is selected and the cipher type I am trying to use is: AES128-SHA256. 


    I found this note within the Hub IM Config notes which explains why the aforementioned cipher does note work:

    • To use TLS cipher suites for hub-to-robot SSL settings, specify a cipher suite that resolves to both TLS and SSLv3.

    When I use AES128-SHA256:RC4-SHA, everything works fine because it is failing back to RC4-SHA (but this is SSLv3 and we need to be able to use TLS1.2).  To confirm this, I set the loglevel to 5...here is the log entry:


    Mar 23 08:20:01:076 [2500] ntevl: SSL - negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 


    What is confusing me is that the documentation states that the probes do support AES encryption, and the 7.80 hub release notes state:


     Added support for OpenSSL TLS cipher suites

    • When using TLS 1.1 or 1.2 cipher suites, include an alternative fallback to SSLv3. Fallback ensures backward compatibility between older robots and a new hub, or probes that connect to a robot using SSL. For example, AES128-SHA256:RC4-SHA, where AES128-SHA256 is TLS v1.2 and RC4-SHA is SSLv3.0


    Any assistance on this would be greatly appreciated.  



    Chris A.

  • 2.  Re: Probe > Robot > Hub Traffic - AES Encryption
    Best Answer

    Posted Mar 26, 2018 04:51 PM

    And after some more digging, I noticed that none of the probes support the correct version of OpenSSL, in order to be able to support TLS1.1 or 1.2.



    Chris A.