Skip to main content

Cipher Support - Agent Communication

  • Updated

Introduction

Some older Windows OS versions, or if specific cipher (cypher) settings are enforced, may not have the appropriate Cipher enabled to support running the CyberQP Agent.  This KB will detail some tests and configuration changes that must be enabled in order to support the installation and operation of the CyberQP Agent.


Supported Ciphers (Cyphers) for Agent Installation and Communication

 

The following Ciphers (Cyphers) are supported for the installation and communication of the Agent to the backend.  These are required during installation to confirm the Agent ID and Installation Token.  They are required in order for the Agent to communicate once installed.

 

Cipher Suites

 

# TLS 1.3 (server has no preference)
TLS_AES_128_GCM_SHA256 (0x1301)   ECDH x25519 (eq. 3072 bits RSA)   FS 128
TLS_AES_256_GCM_SHA384 (0x1302)   ECDH x25519 (eq. 3072 bits RSA)   FS 256
TLS_CHACHA20_POLY1305_SHA256 (0x1303)   ECDH x25519 (eq. 3072 bits RSA)   FS 256

 

# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH x25519 (eq. 3072 bits RSA)   FS 128
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)   ECDH x25519 (eq. 3072 bits RSA)   FS 256P
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH x25519 (eq. 3072 bits RSA)   FS 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK 256

(P) This server prefers ChaCha20 suites with clients that don't have AES-NI (e.g., Android devices)

 

While the Cipher (Cypher) for the 2 items marked "WEAK" are supported, they are not required, and exist only for compatibility.  Not all Cipher (Cypher) may be available depending on the OS of the system.  Any or all of these will provide the correct functionality.


Testing

  1. Run this script in elevated PowerShell to see what TLS version is enforced on that machine:
     

    (Invoke-WebRequest -Uri "https://www.howsmyssl.com/a/check" -UseBasicParsing).Content | ConvertFrom-Json | Select-Object tls_version

     
    This should return the TLS enabled value for the server.  The highest version that the system supports will be shown as the returned value.
    1. If you find that TLS 1.2 or higher is NOT currently supported on the OS, please see this KB detailing how to enable TLS 1.2 on the system, or follow the TLS Enable instructions below.
      https://support.getquickpass.com/hc/en-us/articles/30968896455831-Enforcing-TLS-1-2-for-Server-Agent

  2. Next run this in PowerShell as Admin
    Invoke-WebRequest -Uri https://api.getquickpass.com

    If TLS and the Cipher (Cypher) are configured correctly you will get an returned message like:

    Cannot GET

    An error message will be returned if the supported Ciphers (Cyphers) are not enabled

    The request was aborted: Could not create SSL/TLS secure channel

    If you get the ERROR message then please review the following:

 

Implementation

After extensive testing, CyberQP recommends a simple GUI Tool (3rd Party) that can assist with the configuration and implementation of these Ciphers (Cyphers).

 
https://www.nartac.com/Products/IISCrypto
 
Download the GUI version, and run it as Admin on the System.

 

Backup existing settings


We want to make sure that you backup the EXISTING configuration first (just in case)
 

  1. Click on Advanced (Gear icon)
  2. Click on Backup Registry
    1. Save the file with a name and location you will easily be able to get to.

 

Configuration

 
Enable the "Best Practices" for TLS and Cipher Suites.
 

  1. Click back on SChannel (you only need to enable this if TLS 1.2 or higher is not enabled)
    1. Take a Screenshot of this screen
      1. The ones that show a white box with check mark are enabled manually.  
      2. The ones that show white box no check are disabled manually.
      3. The ones that are greyed out mean they are set to Windows "defaults"

  2. Click on Cipher Suites -
    1. Take a screenshot of this, if there are any boxes that are not "greyed" out.
      1. The ones that show a white box with check mark are enabled manually.  
      2. The ones that show white box no check are disabled manually.
      3. The ones that are greyed out mean they are set to Windows "defaults"

  3. At the bottom of the screen is a "Best Practices" button.  
    1. Click the button.
    2. Apply.  (DO NOT SELECT REBOOT unless it's safe to do so on the system)
    3. This will alter the existing configuration to the "best practice" configuration for both schannel and cipher suites, including the supported Cipher (Cypher) that the Agent requires.
    4. Put the checkmark (white box with checkmarks) for any that you had configured before the change (the screenshots you took, show you which ones to select in addition to the "Best Practice" selections)
      1. Schannel
      2. Cipher suites

 
Schedule a reboot of the system with your customer and advise if this has now resolved the challenge.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.