AnsweredAssumed Answered

Probe > Robot > Hub Traffic - AES Encryption

Question asked by Chris_Armstrong on Mar 26, 2018
Latest reply on Mar 26, 2018 by Chris_Armstrong

Hi,

 

I am trying to harden the communication from Probes to Robot to Hub, within a clients environment, to only allow communication to take place via TLS1.2.

 

Here is what I have done thus far:

 

-Turned on FIPS encryption > installed probes > then rebooted server

-Within the 2012 R2 Server, TLS1.2 encryption is enabled

-Downloaded versions of probes that support AES encryption (ntevl 4.30, processes 4.60, ntservices 3.40)

-I checked the Hub.cfg and Robot.cfg to make sure they have the same cipher specified and mode, and they do

-In the Hub server > Settings > SSL tab: Compatibility Mode is selected and the cipher type I am trying to use is: AES128-SHA256. 

 

I found this note within the Hub IM Config notes which explains why the aforementioned cipher does note work:

  • To use TLS cipher suites for hub-to-robot SSL settings, specify a cipher suite that resolves to both TLS and SSLv3.

When I use AES128-SHA256:RC4-SHA, everything works fine because it is failing back to RC4-SHA (but this is SSLv3 and we need to be able to use TLS1.2).  To confirm this, I set the loglevel to 5...here is the log entry:

 

Mar 23 08:20:01:076 [2500] ntevl: SSL - negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 

 

What is confusing me is that the documentation states that the probes do support AES encryption, and the 7.80 hub release notes state:

 

 Added support for OpenSSL TLS cipher suites

  • When using TLS 1.1 or 1.2 cipher suites, include an alternative fallback to SSLv3. Fallback ensures backward compatibility between older robots and a new hub, or probes that connect to a robot using SSL. For example, AES128-SHA256:RC4-SHA, where AES128-SHA256 is TLS v1.2 and RC4-SHA is SSLv3.0

 

Any assistance on this would be greatly appreciated.  

 

Thanks,

Chris A.

Outcomes