Working with TLS cipher lists

All network communications between the BigFix components and the internet are encrypted by using the TLS protocol standard. Starting from Version 9.5.11, master operators can control which TLS ciphers should be used for encryption. A master operator can set a deployment-wide TLS cipher list in the masthead by using BESAdmin.

The TLS cipher list is a colon-delimited list of cipher suites or cipher families. To disable a cipher suite or cipher family, precede the name with !.

The default TLS cipher list which is HIGH:!ADH:!AECDH:!kDH:!kECDH:!PSK:!SRP is used when no TLS cipher list is present in the masthead.

Starting from Version 10 Patch 3 and later, the default TLS cipher list, used when no TLS cipher list is present in the masthead, is HIGH:!ADH:!AECDH:!kDH:!kECDH:!kRSA:!PSK:!SRP.

This defines the master set of TLS cipher suites from which you can select. Cipher suites that are not in this master set are either insecure or incompatible with the BigFix components. In addition, the TLS cipher list must include at least one cipher suite using RSA key exchange for the BigFix HTTPS servers. The following BESAdmin commands help you create the TLS cipher list:

testTLSCipherList

To test if a particular TLS cipher list is compatible with the BigFix components, run the following command:

/BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> 
-testTLSCipherList=<cipher_1>:<cipher_2>:..:<cipher_n>
For example:
/BESAdmin.sh -securitysettings -sitePvkLocation=/opt/BESInstallFiles/license.pvk -sitePvkPassword=bigfix -testTLSCipherList='TLSv1.2:!ADH:!AECDH:!kDH:!kECDH:!PSK:!SRP:!NULL'

If the command runs successfully, BESAdmin provides a detailed list of all TLS cipher suites that are enabled. If unsuccessful, BESAdmin provides a detailed list of which cipher suites are insecure or incompatible.

Note: In bash, ! is treated as a special character. You must either escape it with \ or enclose it within single quotes '. Double quotes " are insufficient.
setTLSCipherList

After identifying a suitable TLS cipher list, you can set it with the following command:

/BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> 
-setTLSCipherList=<cipher_1>:<cipher_2>:..:<cipher_n>
For example:
/BESAdmin.sh -securitysettings -sitePvkLocation=/opt/BESInstallFiles/license.pvk -sitePvkPassword=bigfix -setTLSCipherList='TLSv1.2:!ADH:!AECDH:!kDH:!kECDH:!PSK:!SRP:!NULL'
If the command is unsuccessful, BESAdmin provides a detailed list of which cipher suites are insecure or incompatible. The ciphers on the list are arranged in an order of preference. To modify the order by key length, add @STRENGTH.
Note: BESAdmin does not verify if the name of a particular cipher suite or cipher family is available; it only checks the final set of TLS cipher suites that is implied by the colon delimited list.
listTLSCiphers

For a detailed list of all the TLS ciphers that are currently enabled, run the following command:

/BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> -listTLSCiphers
For example:
/BESAdmin.sh -securitysettings -sitePvkLocation=/opt/BESInstallFiles/license.pvk -sitePvkPassword=bigfix -listTLSCiphers
removeTLSCipherList

To remove a TLS cipher list from the deployment masthead and return to the default cipher list, run the following command:

/BESAdmin.sh -securitysettings -sitePvkLocation=<path+license.pvk> -sitePvkPassword=<password> -removeTLSCipherList
For example:
/BESAdmin.sh -securitysettings -sitePvkLocation=/opt/BESInstallFiles/license.pvk -sitePvkPassword=bigfix -removeTLSCipherList

The detailed ciphers that are available for a given cipher family depends on the version of OpenSSL that is in use. At its core, the TLS cipher list is the OpenSSL cipher string. For more details, see OpenSSL Cryptography and SSL/TLS Toolkit. Do not use this feature if you are not familiar with the basics of TLS cryptography.