This section describes the process to change the TLS version and cipher suites used by Agents and the Bridge.
For more information on supported TLS versions and cipher suites, see Supported TLS Versions and Cipher Suites.
To change the TLS version and cipher suites used:
1. | On the Tripwire Log Center Manager, open the following file in a text editor: |
<TLC_Manager_install_dir>\Agent Services\config\bridge.properties
2. | To configure the TLS versions that the Bridge will use to accept connections from an Agent, edit the tw.cap.bridge.tlsVersion value. To configure the Bridge to accept connections using only a single TLS version, specify it like this: |
tw.cap.bridge.tlsVersion=TLSv1.2
To configure the Bridge to accept connections using more than one version of TLS, specify all of the accepted versions as a comma-separated list. For example:
tw.cap.bridge.tlsVersion=TLSv1.2,TLSv1.1,TLSv1
3. | To configure the TLS cipher suites that the Bridge will use, edit the tw.cap.bridge.tlsCipherSuites value. For a list of values, see Table 23. |
To configure multiple cipher suites, specify them as a comma-separated list. For example:
tw.cap.bridge.tlsCipherSuites=TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
4. | Save the bridge.properties file. |
5. | At a command prompt, enter the following command |
net stop TripwireBridge
net start TripwireBridge
6. | On each Agent where you want to change the TLS version and/or cipher suites, do the following: |
a. | Open one of the following files in a text editor: |
Linux:
/etc/tripwire/twagent.conf
Windows:
%PROGRAMDATA%\Tripwire\agent\config\twagent.conf
b. | To configure the single TLS version that this Agent will use to connect with the Bridge, edit the tls.version value. For example: |
tls.version=TLSv1.2
Note |
If the Agent attempts to connect with a Bridge that does not support the specified TLS protocol, the TLS handshake will fail and the connection will be closed. |
---|
c. | To configure the TLS cipher suites that this Agent will use, edit the tls.cipher.suites value. For a list of values, see Table 23. |
To configure multiple cipher suites, specify them as a colon-separated list. For example:
tls.cipher.suites=DHE-RSA-AES256-SHA:RSA-AES256-SHA:AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384
Note |
If the Agent attempts to connect with a Bridge that does not support any of the specified TLS ciphers, the TLS handshake will fail and the connection will be closed. |
---|
d. | At a command prompt, enter one of the following sets of commands to restart the Agent Service: |
Linux:
/sbin/service twagent stop
/sbin/service twagent start
Windows:
net stop TripwireViaAgent
net start TripwireViaAgent
Agents and the Bridge support TLSv1, TLSv1.1, and TLSv1.2.
Both Agents and the Bridge use TLSv1.2 by default. Table 23 lists the default cipher suites configured by the Bridge and by Agents. Note that the same cipher suites are supported in both places, but the names are different because the Bridge uses Java cipher suite names, while the Agents use OpenSSL names.
The Bridge and Agents can use any TLS cipher suite that is implemented by both Java and OpenSSL, and that is allowed by Federal Information Processing Standards (FIPS) 140-2.
Cipher Suite Name on the Bridge |
Corresponding Name on an Agent |
---|---|
TLS_DHE_RSA_WITH_AES_256_CBC_SHA |
DHE-RSA-AES256-SHA |
TLS_RSA_WITH_AES_256_CBC_SHA |
RSA-AES256-SHA |
TLS_RSA_WITH_AES_256_GCM_SHA384 |
AES256-GCM-SHA384 |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |
DHE-RSA-AES256-GCM-SHA384 |