• EDR Server: All Versions

Important: Cipher Settings need to be on all nodes in a clustered instance. 

1. Determine which Cipher suite adheres to the company's security policy. The default configuration receives an A+ score on ssllabs. 

   Strength	Configuration in /etc/cb/cb.conf	Ciphers Allowed
   Strongest (Default)	UseIncreasedSecurityCiphers = true UseWeakCBCSecurityCiphers = false	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
   Weaker	UseIncreasedSecurityCiphers = true UseWeakCBCSecurityCiphers = true	Additional CBC Ciphers added to the above: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
   Weakest	UseIncreasedSecurityCiphers = false UseWeakCBCSecurityCiphers = false	Additional Ciphers to all the above: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)

2. Enable the wanted configs on each node (clustered). 
3. Restart cb-enterprise services to take affect

If the Ciphers required by the company policy are not in the pre-built list, then customize the template. Keep in mind, the endpoints need to have matching Cipher to complete the handshake. 

1. Take a backup of the original template file

   cp /etc/cb/nginx/conf.d/templates/cipher_lists.conf.template /etc/cb/nginx/conf.d/templates/cipher_lists.conf.template.bkp

2. Open to edit /etc/cb/nginx/conf.d/templates/cipher_lists.conf.template, modifying line 2: ssl_ciphers
   • A colon (:) is used to separate each cipher suite
   •  An exclamation mark (!) is used in front of the cipher suites that need to be explicitly exclude
   • Example (please see Nginx documentation for more info):

     ssl_ciphers TLSv1.2+FIPS@STRENGTH:EECDH+AESGCM:EDH+AESGCM;

3. Edit /etc/cb/cb.conf and add the following value anywhere in the file, this will tell the product to use the first ssl_cipher in the customized template.

   UseIncreasedSecurityCiphers = false

4. Restart cb-enterprise services: EDR: How to Restart Server Services

• Configuration must be applied to ALL nodes of a cluster, not just the primary node.
• Please see Nginx documentation on configuring specific ssl ciphers. 
• The endpoints need to have matching Cipher to complete the handshake. EDR: How to Determine Cipher Matching Between Endpoint and Server