Configuring TLS Encryption for Management Console
The Management Console encrypts connections between itself and the Agents, as well as connections to the Management Console's web interface.
TLS cipher suites for each connection are defined in the peerServer and the https sections of the Management Console's configuration file. Default cipher suites depend on the Resilio Active Everywhere version.
Note
Default cipher suites apply to fresh deployments. When updating your Resilio Active Everywhere deployment to a new version, the configuration file is not updated automatically. You must manually update the relevant sections and restart the system to enable cipher suites supported by the newer version.
Resilio 5.x default cipher suites
"peerServer": {
"host": "0.0.0.0",
"port": 8444,
"tls": {
"secureProtocol": "TLS_method",
"ciphers": [
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_GCM_SHA256",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-RSA-CHACHA20-POLY1305",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-GCM-SHA384"
]
}
},
"https": {
"port": 8443,
"host": "0.0.0.0",
"tls": {
"secureProtocol": "TLS_method",
"ciphers": [
"TLS_AES_256_GCM_SHA384",
"TLS_CHACHA20_POLY1305_SHA256",
"TLS_AES_128_GCM_SHA256",
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-RSA-CHACHA20-POLY1305",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-GCM-SHA384"
]
}
},
Resilio 4.x default cipher suites
"peerServer": {
"host": "0.0.0.0",
"port": 8444,
"tls": {
"secureProtocol": "TLSv1_2_method",
"ciphers": [
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-RSA-CHACHA20-POLY1305",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-GCM-SHA384"
]
}
},
"https": {
"port": 8443,
"host": "0.0.0.0",
"tls": {
"secureProtocol": "TLSv1_2_method",
"ciphers": [
"ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-ECDSA-CHACHA20-POLY1305",
"ECDHE-RSA-AES128-GCM-SHA256",
"ECDHE-RSA-CHACHA20-POLY1305",
"ECDHE-ECDSA-AES256-GCM-SHA384",
"ECDHE-RSA-AES256-GCM-SHA384"
]
}
},
Warning
Management Console installations updated from pre-2.8 versions may still be using RSA_ cipher suites. Update the configuration file if necessary. For clean installations of Resilio Active Everywhere 4.1 and newer, the following cipher suites are deprecated:
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- AES128-GCM-SHA256
- AES256-GCM-SHA384
Recommended ciphers are:
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
Verify TLS capabilities
The Agent and the Management Console negotiate the most secure encryption algorithm supported by both. However, the operating system's configuration may force them to fall back to a different algorithm.
To determine which cipher is actually used, run the openssl s_client -connect management_console_IP:8444 command on the system hosting the Agent and check the SSL session details:
vboxuser@ubuntu-25-10:/opt/resilio-connect-server$ openssl s_client -connect 192.168.0.59:8444
Connecting to 192.168.0.59
CONNECTED(00000003)
...
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 3D1992308C06B17EA5908EB222F7C5B06CD96ED68510799A346E906682E68247
...
Run a similar command to check the web UI connection:
openssl s_client -connect IP:8443 (where 8443 is the web UI port)
Enable TLS 1.3
Note
Applicable to Resilio Active Everywhere 5.0.1 and newer.
To enable TLS 1.3 for Management Console connections after updating from a pre-5.0.1 version:
-
Stop the Resilio Management Console service and open the configuration file.
- Windows:
C:\ProgramData\Resilio\Connect Server\resilio-connect-server.conf - Linux:
${resilio_connect_server_dir}/var/resilio-connect-server.conf
- Windows:
-
In the
peerServerandhttpssections, change thesecureProtocolparameter's value toTLS_methodand addTLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256andTLS_AES_128_GCM_SHA256to the list of allowed ciphers.Note
This will allow both TLS 1.2 and TLS 1.3 connections. To allow only TLS 1.3 connections, remove ECDHE ciphers.
"peerServer": { "host": "0.0.0.0", "port": 8444, "tls": { "secureProtocol": "TLS_method", "ciphers": [ "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_GCM_SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384" ] } }, "https": { "port": 8443, "host": "0.0.0.0", "tls": { "secureProtocol": "TLS_method", "ciphers": [ "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_GCM_SHA256", "ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384" ] } }, -
Start the Resilio Management Console service.
Allow only TLS 1.3
Note
Applicable to Resilio Active Everywhere 5.0.1 and newer.
To allow only TLS 1.3 for Management Console connections:
-
Stop the Resilio Management Console service and open the configuration file.
- Windows:
C:\ProgramData\Resilio\Connect Server\resilio-connect-server.conf - Linux:
${resilio_connect_server_dir}/var/resilio-connect-server.conf
- Windows:
-
In the
peerServerandhttpssections, remove all lines starting withECDHEand make sure thesecureProtocolparameter is set toTLS_method. Preserve JSON formatting."peerServer": { "host": "0.0.0.0", "port": 8444, "tls": { "secureProtocol": "TLS_method", "ciphers": [ "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_GCM_SHA256" ] } }, "https": { "port": 8443, "host": "0.0.0.0", "tls": { "secureProtocol": "TLS_method", "ciphers": [ "TLS_AES_256_GCM_SHA384", "TLS_CHACHA20_POLY1305_SHA256", "TLS_AES_128_GCM_SHA256" ] } }, -
Start the Resilio Management Console service.
Ensure perfect forward secrecy
Note
Applicable to Resilio Active Everywhere 4.0 and older.
If your organization requires perfect forward secrecy, edit the Management Console configuration file and remove cipher suites that do not support it:
- Verify that the operating systems running the Agents support forward secrecy.
-
Stop the Resilio Management Console service and open the configuration file.
- Windows:
C:\ProgramData\Resilio\Connect Server\resilio-connect-server.conf - Linux:
${resilio_connect_server_dir}/var/resilio-connect-server.conf
- Windows:
-
In
peerServerandhttpssections, remove the lines starting withAES. Preserve JSON formatting. -
Start the Resilio Management Console service
From this point forward, the Management Console will not establish connections with Agents that do not support ECDHE during the handshake. Possible implications include:
- Agents running in environments without ECDHE support will disconnect from the Management Console.
- Stronger ciphers may increase CPU usage on the Management Console host. A large number of Agents may therefore increase load during connection establishment.