EDR: How to Update SSL Ciphers Used for Communication
search cancel

EDR: How to Update SSL Ciphers Used for Communication


Article ID: 285789


Updated On:


Carbon Black EDR (formerly Cb Response)


Update the ssl ciphers used for communication on the server


  • EDR Server: All Versions


Important: Cipher Settings need to be on all nodes in a clustered instance. 
  1. Determine which Cipher suite you want the EDR server to accept. The default configuration receives an A+ score on ssllabs. 
    StrengthConfiguration in /etc/cb/cb.confCiphers Allowed
    Strongest (Default)UseIncreasedSecurityCiphers = true
    UseWeakCBCSecurityCiphers = false
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048)
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048)
    • TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
    WeakerUseIncreasedSecurityCiphers = true
    UseWeakCBCSecurityCiphers = true
    Additional CBC Ciphers added to the above:
    • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048)
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1)
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048)
    • TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
    WeakestUseIncreasedSecurityCiphers = false
    UseWeakCBCSecurityCiphers = false
    Additional Ciphers to all the above:
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1)
    • TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
    • TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)
  2. Enable the wanted configs on each node (clustered). 
  3. Restart cb-enterprise services to take affect

If the Ciphers you want enabled are not in the pre-built list, you will need to customize the template. Keep in mind, the endpoints need to have matching Cipher to complete the handshake. 
  1. Take a backup of the original template file
    cp /etc/cb/nginx/conf.d/templates/cipher_lists.conf.template /etc/cb/nginx/conf.d/templates/cipher_lists.conf.template.bkp
  2. Open to edit /etc/cb/nginx/conf.d/templates/cipher_lists.conf.template, modifying line 2: ssl_ciphers
    • A colon (:) is used to separate each cipher suite
    •  An exclamation mark (!) is used in front of the cipher suites that need to be explicitly exclude
    • Example (please see Nginx documentation for more info):
  3. Edit /etc/cb.conf and add the following value anywhere in the file, this will tell the product to use the first ssl_cipher in the template you customized
    UseIncreasedSecurityCiphers = false
  4. Restart cb-enterprise services: EDR: How to Restart Server Services

Additional Information