Skip to content

Configuring TLS Encryption for Management Console

By default Management Console v2.8 and newer uses TLS protocol with the following cipher suits to secure connection between MC and Agents (peerServer) and Web interface (https). Both of these are defined in the configuration file in the sections accordingly.

peerserver.png https.png

Warning

Management Console installations that were updated from pre-2.8 versions will still be using RSA_. Update the configuration file if necessary. For clean installations of MC v4.1.0 and newer deprecated are: ECDHE-ECDSA- AES128-SHA256 and ECDHE-RSA-AES128-SHA256
AES128-GCM-SHA256 and AES256-GCM-SHA384
Recommended ciphers are: ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384

The Agent and MC will agree on the most secure common encryption algorithm that both possess. Usually this is ECDHE-ECDSA-AES256-GCM-SHA384, however, the OS specific configuration may force them to fall on some another algorithm.

To learn what exactly cipher will be used, from the device where the Agent runs, run command openssl s_client -connect IP:8444 and check details for ssl session. Same command for checking WebUI connection openssl s_client -connect IP:8443, where 8443 - is the port on which WebUI is opened.

ssl.png

If perfect forward secrecy is a strict requirement, you need to edit the MC configuration file and force ECDHE encryption:

  1. Before proceeding, check that the operating systems where the Agents are installed support it.
  2. Stop the Resilio Management Console service and open the configuration file. Windows: C:\ProgramData\Resilio\Connect Server\resilio-connect-server.conf
    Linux: ${resilio_connect_server_dir}/var/resilio-connect-server.conf

  3. Remove the lines starting with AES*. In other words, keep only ECDHE ciphers in both sections - peerServer and https. Be sure to conform with JSON format. 

    "tls": {
            "secureProtocol": "TLSv1_2_method",
            "ciphers": [
                "ECDHE-ECDSA-AES128-SHA256",
                "ECDHE-ECDSA-AES128-GCM-SHA256",
                "ECDHE-ECDSA-AES256-GCM-SHA384",
                "ECDHE-RSA-AES128-SHA256",
                "ECDHE-RSA-AES128-GCM-SHA256"
            ]
        }

  4. Start the Management Console.

From now, the MC will not establish connection with the Agents that offer non ECDHE algorithm during handshake. Possible implications are:

  • Some Agents, which environment does not support ECDHE ciphers will disconnect from MC.
  • More secure ciphers will require more CPU resources on the system running the Management Console. Large number of Agents may create more load on MC to establish connection.