EDR: Windows Sensor won't connect due to TLS error
Article ID: 285954
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
- EDR Windows Sensors fail to connect to the server
- Error in endpoint Sensor.log:
-
(e): WinHTTP indicated a TLS/SSL error, WinXP and Server2008 sensors require the Cb Response server enable TLS1.0 for secure communication.
-
Environment
- EDR Server: 6.2.4 and higher
- EDR Windows Sensor: 6.x and Higher
- Microsoft Windows XP, Vista, Server 2008, Windows 2012
Cause
EDR Windows Sensor does not support TLS 1.0 communication by default because it's susceptible to man in the middle attacks with vulnerabilities such as BEAST, POODLE, DROWN, etc.
Resolution
There are two options:
- Upgrade the endpoint's OS to support a more recent cryptographic protocol (TLS 1.2)
- Configure Nginx on EDR server to allow the older protocols
- Run the following command to enable the feature
sed -i -e 's/TLSv1.2;/TLSv1.2\ TLSv1;/' /etc/cb/nginx/conf.d/includes/cb.server.base_body
- Restart the Nginx service
CentOS6: sudo service cb-nginx restart CentOS7: sudo systemctl restart cb-nginx
- Run the following command to enable the feature
Additional Information
Research the vulnerabilities before configuring Nginx to allow the older protocols
Feedback
Yes
No
Powered by
