SMP Agent for Mac 8.0 - SSL, TLS, Key Exchange & Cipher Information

book

Article ID: 178912

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server) Notification Server Agent for Macintosh (Altiris)

Issue/Introduction

 

Resolution

The following charts show test results for various configurations of SSL, TLS, Key Exchange and Cipher settings in IIS for SMP Agent for Mac communication with the SMP server. 

While it would be impossible to test every combination, there are several obvious combinations that were tested. The following conditions apply: 

  • All SSL, TLS, Key Exchange and Cipher configuration changes were done using "IIS Crypto 2.0". A reboot of the SMP VM was done after each change. 
  • The corresponding SSL and TLS settings are found in the Windows registry at: HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols. Each subkey has an entry named 'Enabled'. A value of 0 (zero) means disabled/false. Any other value is enabled/true. 

  • The SMP virtual machine is running Windows Server 2012 R2 Standard. 

  • The Mac client is running OS X 10.12.1 and the SMP Agent for Mac version 8.0.3311.

  • Communication was tested on the client by running 'aex-refreshpolicies' in the Terminal.app. Any status other than 'Successful' or 'not changed' type of message was considered to have failed.

 

The following table shows test results for when the SMP server is NOT configured to use SSL. It is HTTP only. The default <servername> certificate is bound to port 443. The client is configured to use HTTPS (the agent will fallback to http):

SSL & TLS       Result Notes
SSL All TLS All Key Exchanges: ALL Ciphers: ALL Successful  
SSL All TLS None Key Exchanges: ALL Ciphers: ALL Failed Some version of both SSL and TLS is required. 
SSL None TLS All Key Exchanges: ALL Ciphers: ALL Failed
Some version of both SSL and TLS is required. 

 
SSL All TLS 1.0 Key Exchanges: ALL Ciphers: ALL Successful  
SSL All TLS 1.1 Key Exchanges: ALL Ciphers: ALL Successful  
SSL All TLS 1.2 Key Exchanges: ALL Ciphers: ALL Successful  
SSL 2.0 TLS All Key Exchanges: ALL Ciphers: ALL Successful  
SSL 2.0 TLS 1.0 Key Exchanges: ALL Ciphers: ALL Successful  
SSL 2.0 TLS 1.1 Key Exchanges: ALL Ciphers: ALL Failed SSL 2.0 evidently does not work with TLS 1.1 and 1.2. 
SSL 2.0 TLS 1.2 Key Exchanges: ALL Ciphers: ALL Failed SSL 2.0 evidently does not work with TLS 1.1 and 1.2. 
SSL 3.0 TLS All Key Exchanges: ALL Ciphers: ALL Successful  
SSL 3.0 TLS 1.0 Key Exchanges: ALL Ciphers: ALL Successful  
SSL 3.0 TLS 1.1 Key Exchanges: ALL Ciphers: ALL Successful  
SSL 3.0 TLS 1.2 Key Exchanges: ALL Ciphers: ALL Successful  
           
Key Exchanges        
SSL All TLS All Key Exchanges: None Ciphers: ALL Failed  
SSL All TLS All Key Exchanges:Diffie-Heilman only Ciphers: ALL Successful  
SSL All TLS All Key Exchanges:PKCS only Ciphers: ALL Successful  
SSL All TLS All Key Exchanges:ECDH only Ciphers: ALL Successful  
           
Ciphers          
SSL All TLS All Key Exchanges All Ciphers: None Successful  

 

 

The following table shows test results for when the SMP server IS configured to require SSL and accept client certificates. The default <servername> certificate is bound to port 443. The client is configured to use HTTPS (the agent will fallback to http):

SSL & TLS       Result  
SSL All TLS All Key Exchanges: ALL Ciphers: ALL Successful  
SSL All TLS None Key Exchanges: ALL Ciphers: ALL Failed TLS is required when SSL is enabled in IIS. 
SSL None TLS All Key Exchanges: ALL Ciphers: ALL Successful Verified in the registry - no enabled SSL versions. Not sure why this worked since SSL is required in IIS. 
SSL All TLS 1.0 Key Exchanges: ALL Ciphers: ALL Successful  
SSL All TLS 1.1 Key Exchanges: ALL Ciphers: ALL Successful  
SSL All TLS 1.2 Key Exchanges: ALL Ciphers: ALL Successful  
SSL 2.0 TLS All Key Exchanges: ALL Ciphers: ALL Successful  
SSL 2.0 TLS 1.0 Key Exchanges: ALL Ciphers: ALL Successful  
SSL 2.0 TLS 1.1 Key Exchanges: ALL Ciphers: ALL Failed  
SSL 2.0 TLS 1.2 Key Exchanges: ALL Ciphers: ALL Failed  
SSL 3.0 TLS All Key Exchanges: ALL Ciphers: ALL Successful  
SSL 3.0 TLS 1.0 Key Exchanges: ALL Ciphers: ALL Successful  
SSL 3.0 TLS 1.1 Key Exchanges: ALL Ciphers: ALL Successful  
SSL 3.0 TLS 1.2 Key Exchanges: ALL Ciphers: ALL Successful  
           
Key Exchanges        
SSL All TLS All Key Exchanges: None Ciphers: ALL Failed  
SSL All TLS All Key Exchanges:Diffie-Heilman only Ciphers: ALL Successful  
SSL All TLS All Key Exchanges:PKCS only Ciphers: ALL Successful  
SSL All TLS All Key Exchanges:ECDH only Ciphers: ALL Successful  
           
Ciphers          
SSL All TLS All Key Exchanges All Ciphers: None Failed