Troubleshooting TLS Protocols or Cipher Suites
search cancel

Troubleshooting TLS Protocols or Cipher Suites

book

Article ID: 384319

calendar_today

Updated On:

Products

Carbon Black App Control

Issue/Introduction

Steps to troubleshoot the Protocol and/or Cipher Suite available for Agent & Server communication.

Environment

  • App Control Agent: All Supported Versions
  • App Control Server: All Supported Versions

Resolution

Reminders: 

  • Making modifications to Protocols and Cipher Suites is done at the OS Layer, and outside the scope for Carbon Black Support.
  • The Agent and Server will rely on the Protocols and Cipher Suites as configured in the operating system.
  • Improper modification of these settings could cause connectivity issues.
  • Changes will always require a reboot.
  • Settings on endpoints should be compared against the application server hosting the Console.
    • Matching Protocols and Cipher Suites are required for a successful handshake and communication.

 

IIS Crypto:

IIS Crypto is a portable application that will allow for easy review and modification of the Registry Keys associated with various Protocols and Cipher Suites. Checkboxes in grey indicate no setting has been specified and the Operating System default will be used.

  1. Download and execute IIS Crypto.
  2. Use the Schannel tab to review or modify options system wide.
  3. Use the Cipher Suites tab to review, enable/disable, or reorder the Cipher Suites negotiated for TLS handshakes.

 

Regedit:

Important Notes:

  1. Start > Run > regedit
  2. Review Protocols by navigating to 
    HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\
    • Each Protocol version will have a Subkey for Client, Server, or both, example: 
      HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
    • Review the relevant Subkey(s) for DWORD values indicating whether the Protocol is Enabled or DisabledByDefault, example showing the TLS 1.0 Server Protocol as Disabled:
  3. Review Ciphers by navigating to 
    HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\
    • Each Cipher will contain a Registry DWORD value indicating whether the specific Cipher is Enabled or not, example showing the AES 256/256 Cipher as Enabled:
    • More information is available via the official Microsoft documentation.

 

Wireshark:

  1. Download and install Wireshark. (Npcap is required to record live traffic)
  2. Launch Wireshark and navigate to: Edit > Preferences > Protocols > HTTP
    1. Add port 41002 to the SSL/TLS Ports
    2. Click OK
  3. Double-click on the appropriate network connection to start recording.
  4. Use an administrative command prompt to issue the following commands: 
    cd "C:\Program Files (x86)\Bit9\Parity Agent"
    dascli server
  5. In the output, note the Server Address returned, example: 
    Current server: appc.local:41002
  6. Based on the results returned, adjust the following Wireshark filter accordingly, example: 
    tls.handshake.extensions_server_name contains "appc.local"
  7. Restart the Agent service to force a new handshake with the Server.
  8. Monitor the Wireshark and wait for results to begin showing shortly after the Agent service has restarted.
  9. After the Client Hello result shows, select it.
  10. Expand: Transport Layer Security > TLS version Record Layer ... > Handshake Protocol: Client Hello > Cipher Suites
    • This lists the available Cipher Suites sent by the endpoint to the App Control Server.

Additional Information

Powered by Wolken Software