How to Update EDR SSL Ciphers Used for Communication
search cancel

How to Update EDR SSL Ciphers Used for Communication


Article ID: 285789


Updated On:


Carbon Black EDR (formerly Cb Response)


Update the ssl ciphers used for communication on the server


  • EDR Server: All Versions


Important: Cipher Settings need to be on all nodes in a clustered instance. 

  1. Determine which Cipher suite adheres to the company's security policy. The default configuration receives an A+ score on ssllabs. 
    Strength Configuration in /etc/cb/cb.conf Ciphers Allowed
    Strongest (Default) UseIncreasedSecurityCiphers = true
    UseWeakCBCSecurityCiphers = false
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048)
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048)
    • TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
    Weaker UseIncreasedSecurityCiphers = true
    UseWeakCBCSecurityCiphers = true
    Additional CBC Ciphers added to the above:
    • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 2048)
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1)
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048)
    • TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048)
    Weakest UseIncreasedSecurityCiphers = false
    UseWeakCBCSecurityCiphers = false
    Additional Ciphers to all the above:
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1)
    • TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048)
    • TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048)
  2. Enable the wanted configs on each node (clustered). 
  3. Restart cb-enterprise services to take affect

If the Ciphers required by the company policy are not in the pre-built list, then customize the template. Keep in mind, the endpoints need to have matching Cipher to complete the handshake. 

  1. Take a backup of the original template file
    cp /etc/cb/nginx/conf.d/templates/cipher_lists.conf.template /etc/cb/nginx/conf.d/templates/cipher_lists.conf.template.bkp
  2. Open to edit /etc/cb/nginx/conf.d/templates/cipher_lists.conf.template, modifying line 2: ssl_ciphers
    • A colon (:) is used to separate each cipher suite
    •  An exclamation mark (!) is used in front of the cipher suites that need to be explicitly exclude
    • Example (please see Nginx documentation for more info):
  3. Edit /etc/cb/cb.conf and add the following value anywhere in the file, this will tell the product to use the first ssl_cipher in the customized template.
    UseIncreasedSecurityCiphers = false
  4. Restart cb-enterprise services: EDR: How to Restart Server Services

Additional Information