By default Management Console v2.8 and newer uses TLS protocol with the following cipher suits to secure connection between MC and Agents (peerServer) and Web interface (https). Both of these are defined in the configuration file in the sections accordingly.
AES128-GCM-SHA256 and AES256-GCM-SHA384
Recommended ciphers are: ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
The Agent and MC will agree on the most secure common encryption algorithm that both possess. Usually this is ECDHE-ECDSA-AES256-GCM-SHA384, however, the OS specific configuration may force them to fall on some another algorithm.
To learn what exactly cipher will be used, from the device where the Agent runs, run command openssl s_client -connect IP:8444
and check details for ssl session. Same command for checking WebUI connection openssl s_client -connect IP:8443
, where 8443 - is the port on which WebUI is opened.
If perfect forward secrecy is a strict requirement, you need to edit the MC configuration file and force ECDHE
encryption. Follow the steps
1. Before proceeding, check that the operating systems where the Agents are installed support it.
2. Stop Resilio Connect Management Console and open the configuration file.
Windows: C:\ProgramData\Resilio\Connect Server\resilio-connect-server.conf
Linux: ${resilio_connect_server_dir}/var/resilio-connect-server.conf
3. Remove the lines starting with AES*. In other words, keep only ECDHE ciphers in both sections - peerServer and https. Be sure to conform with json format.
"tls": {
"secureProtocol": "TLSv1_2_method",
"ciphers": [
"ECDHE-ECDSA-AES128-SHA256",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES128-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256"
]
}
4. Start Management Console.
Starting from now, the MC will not establish connection with the Agents that offer non ECDHE algorithm during handshake. Possible implications are:
- some Agents, which environment does not support ECDHE ciphers will disconnect from MC.
- more secure ciphers will require more CPU time on MC. Large number of Agents may create more load on MC to establish connection