How to upgrade to TLS 1.2 and why it’s crucial for Bitdefender Endpoint Security Tools functionality
Starting with November 2020 release, Bitdefender GravityZone Cloud will no longer support Transport Layer Security (TLS) 1.0 or 1.1 protocols due to known security vulnerabilities. In keeping with industry standards and best practices, Bitdefender will migrate to TLS 1.2 and disable all insecure ciphers for all agent communications with the console.
This document contains all the information you need to make all the preparations necessary for this upgrade.
- Understanding TLS
- Why upgrading to TLS 1.2 is necessary
- Which services will be impacted and what are the steps you need to follow
Transport Layer Security, also known as TLS, is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. One of its primary uses is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS can also be used to encrypt other communications such as email, messaging, and voice over IP (VoIP).
TLS is similar to SSL (Secure Sockets Layer). The latter was developed by Netscape and ensures message integrity while guaranteeing server identity. The Internet Engineering Task Force (IETF) created TLS as the successor to SSL. It's used most often as a setting in email programs, but, like SSL, can be used in any client-server transaction.
TLS ensures that a connection to a remote endpoint is the intended endpoint with encryption and endpoint identity verification.
The PCI Council released version 3.1 of their Data Security Standard (DSS), which states that SSL 3.0 and TLS 1.0 are no longer supported. For more information, refer to this official post.
Although the DSS 3.1 allows TLS 1.1 if configured properly, Bitdefender doesn’t want to take any risks and has chosen the safest path.
This implies migrating all customers to TLS 1.2.
Connections, inbound to your Bitdefender console or outbound from it, will fail if they rely on TLS 1.0 or 1.1.
After the migration to TLS 1.2 the following services will be affected and need to be acted upon:.
1. BEST versions released before 2018 running on legacy Windows (older than Windows 8)*
- BEST versions : 6.6.1 or 6.4.1 and below 6.4.1
- EPS below 5.3.37
In order to avoid any problems, such as the stations running old BEST versions appearing as offline in the console, you need to undertake the following steps:
- Check if you've updated to the latest BEST version. You can inspect this by following the steps mentioned in this KB.
- If you find that your version needs updating, then carry out the steps on how to manually update BEST, refer to the "Update Client" section of the Administrator's Guide.
These mandatory updates need to be done by November release for GravityZone Control Center.
2. Sandbox Analyzer Cloud
All Bitdefender Endpoint Security Tools agents installed on any of the following Windows versions will be affected: Windows 7, Windows 8, Windows 8.1, Windows Server 2008 R2, Windows 10, Windows Server 2010 or Windows Server 2012.
To avoid potential problems related to the endpoint legacy versions, you will need to follow the steps mentioned above for upgrading your BEST version.
These mandatory changes need to be done before the next Sandbox release (29th of January).
3. Event-push service
In order to avoid any issues, we recommend you switch to TLS 1.2 and configure the new ciphers on the server that receives information from the event-push service.
These mandatory configurations need to be done by the end of March 2021.
4. Any legacy client running older TLS versions that connects to the console
Potential issues will be avoided if you upgrade your clients to TLS 1.2 and configure the new ciphers.