AnsweredAssumed Answered

Probe > Robot > Hub Traffic - AES Encryption

Question asked by Chris_Armstrong on Mar 26, 2018
Latest reply on Mar 26, 2018 by Chris_Armstrong



I am trying to harden the communication from Probes to Robot to Hub, within a clients environment, to only allow communication to take place via TLS1.2.


Here is what I have done thus far:


-Turned on FIPS encryption > installed probes > then rebooted server

-Within the 2012 R2 Server, TLS1.2 encryption is enabled

-Downloaded versions of probes that support AES encryption (ntevl 4.30, processes 4.60, ntservices 3.40)

-I checked the Hub.cfg and Robot.cfg to make sure they have the same cipher specified and mode, and they do

-In the Hub server > Settings > SSL tab: Compatibility Mode is selected and the cipher type I am trying to use is: AES128-SHA256. 


I found this note within the Hub IM Config notes which explains why the aforementioned cipher does note work:

  • To use TLS cipher suites for hub-to-robot SSL settings, specify a cipher suite that resolves to both TLS and SSLv3.

When I use AES128-SHA256:RC4-SHA, everything works fine because it is failing back to RC4-SHA (but this is SSLv3 and we need to be able to use TLS1.2).  To confirm this, I set the loglevel to is the log entry:


Mar 23 08:20:01:076 [2500] ntevl: SSL - negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 


What is confusing me is that the documentation states that the probes do support AES encryption, and the 7.80 hub release notes state:


 Added support for OpenSSL TLS cipher suites

  • When using TLS 1.1 or 1.2 cipher suites, include an alternative fallback to SSLv3. Fallback ensures backward compatibility between older robots and a new hub, or probes that connect to a robot using SSL. For example, AES128-SHA256:RC4-SHA, where AES128-SHA256 is TLS v1.2 and RC4-SHA is SSLv3.0


Any assistance on this would be greatly appreciated.  



Chris A.