Using the DHE/ECDHE key exchange method
By default, BigFix 10.0 Patch 1 components use the DHE/ECDHE key exchange method if the version of the BigFix component on the other side of the SSL communication allows it.
To use DHE/ECDHE in all SSL communications, all BigFix components must be at any of the
following versions:
- Version 10.0 Patch 1 or higher
- Version 9.5 Patch 16 or higher
Other considerations
- BigFix HTTPS servers use RSA for both authentication and key exchange.
- BigFix 10.0 Patch 1 enables ephemeral Diffie-Hellman (DHE) and ephemeral elliptic curve Diffie-Hellman (ECDHE) for key exchange (RSA for authentication).
- Ephemeral means new, random asymmetric keys are chosen for each TLS connection that are never written to persistent storage.
- When the TLS connection terminates, keys are securely erased.
- This means if an RSA private key is ever divulged, that key cannot be used to decrypt any recorded TLS sessions.
- Any secrets exchanged in those TLS sessions, such as BigFixConsole passwords, REST API passwords, Web Reports passwords and session tokens will not be divulged in the event of an RSA private key disclosure.
- To determine the protocols in place, you can use the Nmap utility. A sample invocation
is:
nmap -p 8083 --script ssl-cert,ssl-enum-ciphers <address>