Configuring TLS Versions and Cipher Suites

This section describes the process to change the TLS version and cipher suites used by Axon Agents and the Bridge.

For more information on supported TLS versions and cipher suites, see Supported TLS Versions and Cipher Suites.

To change the TLS version and cipher suites used:

1. On the Tripwire Log Center Manager, open the following file in a text editor:

<TLC_Manager_install_dir>\Agent Services\config\bridge.properties

2. To configure the TLS versions that the Bridge will use to accept connections from an Axon Agent, edit the tw.cap.bridge.tlsVersion value. To configure the Bridge to accept connections using only a single TLS version, specify it like this:

tw.cap.bridge.tlsVersion=TLSv1.2

To configure the Bridge to accept connections using more than one version of TLS, specify all of the accepted versions as a comma-separated list. For example: 

tw.cap.bridge.tlsVersion=TLSv1.2,TLSv1.1,TLSv1

3. To configure the TLS cipher suites that the Bridge will use, edit the tw.cap.bridge.tlsCipherSuites value. For a list of values, see Table 24.

To configure multiple cipher suites, specify them as a comma-separated list. For example:

tw.cap.bridge.tlsCipherSuites=TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

4. Save the bridge.properties file.
5. At a command prompt, enter the following commands to restart the Tripwire Bridge Service:

net stop TripwireBridge

net start TripwireBridge

6. On each Axon Agent where you want to change the TLS version and/or cipher suites, do the following:
a. Open one of the following files in a text editor:

Linux:
/etc/tripwire-tlc/twagent.conf

Windows:
%PROGRAMDATA%\Tripwire\agent-tlc\config\twagent.conf

b. To configure the single TLS version that this Axon Agent will use to connect with the Bridge, edit the tls.version value. For example:

tls.version=TLSv1.2

Note 

If the Axon Agent attempts to connect with a Bridge that does not support the specified TLS protocol, the TLS handshake will fail and the connection will be closed.

c. To configure the TLS cipher suites that this Axon Agent will use, edit the tls.cipher.suites value. For a list of values, see Table 24.

To configure multiple cipher suites, specify them as a colon-separated list. For example:

tls.cipher.suites=DHE-RSA-AES256-SHA:RSA-AES256-SHA:AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384

Note 

If the Axon Agent attempts to connect with a Bridge that does not support any of the specified TLS ciphers, the TLS handshake will fail and the connection will be closed.

d. At a command prompt, enter one of the following sets of commands to restart the Axon Agent Service:

Linux:
/sbin/service tw-axon-agent-tlc stop
/sbin/service tw-axon-agent-tlc start

Windows:
net stop TripwireAxonAgentTLC
net start TripwireAxonAgentTLC

Supported TLS Versions and Cipher Suites

Axon Agents and the Bridge support TLSv1, TLSv1.1, and TLSv1.2.

Both Axon Agents and the Bridge use TLSv1.2 by default. Table 24 lists the default cipher suites configured by the Bridge and by Agents. Note that the same cipher suites are supported in both places, but the names are different because the Bridge uses Java cipher suite names, while the Axon Agents use OpenSSL names.

The Bridge and Axon Agents can use any TLS cipher suite that is implemented by both Java and OpenSSL, and that is allowed by Federal Information Processing Standards (FIPS) 140-2.

Table 24. List of default cipher suites

Cipher Suite Name on the Bridge

Corresponding Name on an Axon Agent

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

DHE-RSA-AES256-SHA

TLS_RSA_WITH_AES_256_CBC_SHA

RSA-AES256-SHA

TLS_RSA_WITH_AES_256_GCM_SHA384

AES256-GCM-SHA384

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

DHE-RSA-AES256-GCM-SHA384