Configuring TLS Versions and Cipher Suites

This section describes the process to change the TLS version and cipher suites used by Axon Agents and the Axon Access Point.

For more information on supported TLS versions and cipher suites, see Supported TLS Versions and Cipher Suites.

To change the TLS version and cipher suites used:

1. On the Tripwire Log Center Manager, open the following file in a text editor:

<TLC_Manager_install_dir>\Tripwire Axon Access Point\config\bridge.properties

2. To configure the TLS versions that the Axon Access Point will use to accept connections from an Axon Agent, edit the tw.cap.bridge.tlsVersion value. To configure the Access Point to accept connections using only a single TLS version, specify it like this:

tw.cap.bridge.tlsVersion=TLSv1.2

To configure the Access Point to accept connections using more than one version of TLS, specify all of the accepted versions as a comma-separated list. For example: 

tw.cap.bridge.tlsVersion=TLSv1.2,TLSv1.1,TLSv1

3. To configure the TLS cipher suites that the Access Point will use, edit the tw.cap.bridge.tlsCipherSuites value. For a list of values, see Table 22.

To configure multiple cipher suites, specify them as a comma-separated list. For example:

tw.cap.bridge.tlsCipherSuites=TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

4. Save the bridge.properties file.
5. At a command prompt, enter the following commands to restart the Axon Access Point Service:

net stop TripwireAxonAccessPoint

net start TripwireAxonAccessPoint

6. On each Axon Agent where you want to change the TLS version and/or cipher suites, do the following:
a. Open one of the following files in a text editor:

Linux:
/etc/tripwire-tlc/twagent.conf

Windows:
%PROGRAMDATA%\Tripwire\agent-tlc\config\twagent.conf

b. To configure the single TLS version that this Axon Agent will use to connect with the Axon Access Point, edit the tls.version value. For example:

tls.version=TLSv1.2

Note 

If the Axon Agent attempts to connect with an Axon Access Point that does not support the specified TLS protocol, the TLS handshake will fail and the connection will be closed.

c. To configure the TLS cipher suites that this Axon Agent will use, edit the tls.cipher.suites value. For a list of values, see Table 22.

To configure multiple cipher suites, specify them as a colon-separated list. For example:

tls.cipher.suites=DHE-RSA-AES256-SHA:RSA-AES256-SHA:AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384

Note 

If the Axon Agent attempts to connect with an Axon Access Point that does not support any of the specified TLS ciphers, the TLS handshake will fail and the connection will be closed.

d. At a command prompt, enter one of the following sets of commands to restart the Axon Agent Service:

Linux:
/sbin/service tw-axon-agent-tlc stop
/sbin/service tw-axon-agent-tlc start

Windows:
net stop TripwireAxonAgentTLC
net start TripwireAxonAgentTLC

Supported TLS Versions and Cipher Suites

Axon Agents and the Axon Access Point support TLSv1, TLSv1.1, and TLSv1.2.

Both Axon Agents and the Axon Access Point use TLSv1.2 by default. Table 22 lists the default cipher suites configured by the Access Point and by Agents. Note that the same cipher suites are supported in both places, but the names are different because the Access Point uses Java cipher suite names, while the Axon Agents use OpenSSL names.

The Axon Access Point and Axon Agents can use any TLS cipher suite that is implemented by both Java and OpenSSL, and that is allowed by Federal Information Processing Standards (FIPS) 140-2.

Table 22. List of default cipher suites

Cipher Suite Name on the Axon Access Point

Corresponding Name on an Axon Agent

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

DHE-RSA-AES256-SHA

TLS_RSA_WITH_AES_256_CBC_SHA

RSA-AES256-SHA

TLS_RSA_WITH_AES_256_GCM_SHA384

AES256-GCM-SHA384

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

DHE-RSA-AES256-GCM-SHA384