Skip to main content

How to upgrade to TLS 1.2 and why it’s crucial for Bitdefender Endpoint Security Tools functionality

Starting with November 2021 release, Bitdefender GravityZone Cloud, will no longer support Transport Layer Security (TLS) 1.0 or 1.1 protocols due to known security vulnerabilities. In keeping with industry standards and best practices, Bitdefender will migrate to TLS 1.2 for all agent communications with the console.

This document contains all the information you need to make all the preparations needed for this upgrade.

Understanding TLS

Transport Layer Security, also known as TLS, is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. One of its primary uses is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS can also be used to encrypt other communications such as email, messaging, and voice over IP (VoIP).

TLS is similar to SSL (Secure Sockets Layer). The latter was developed by Netscape and ensures message integrity while guaranteeing server identity. The Internet Engineering Task Force (IETF) created TLS as the successor to SSL. It's used most often as a setting in email programs, but, like SSL, can be used in any client-server transaction.

TLS ensures that a connection to a remote endpoint is the intended endpoint with encryption and endpoint identity verification.

The PCI Council released version 3.1 of their Data Security Standard (DSS), which states that SSL 3.0 and TLS 1.0 are no longer supported. For more information, refer to this official post.

Why upgrading to TLS 1.2 is necessary

Although the DSS 3.1 allows TLS 1.1 if configured properly, Bitdefender doesn’t want to take any risks and has chosen the safest path.

This implies migrating all customers to TLS 1.2.

Connections, inbound to your Bitdefender console or outbound from it, will fail if they rely on TLS 1.0 or 1.1.

Which services will be impacted and what are the steps you need to follow

After the migration to TLS 1.2 the following services will be affected and need to be acted upon.

1. BEST versions released before 2018 running on legacy Windows (older than Windows 8)*

  • BEST versions : 6.6.1 or 6.4.1 and below 6.4.1

  • EPS v5 5.3.37 and below 5.3.37*

*Bitdefender renounced its support for Windows 2003, Windows Vista and Windows 2008 back in January 2020.

In order to avoid any problems, such as the stations running old BEST versions appearing as offline in the console, you need to undertake the following steps:

  • Check if you've updated to the latest BEST version. You can inspect this by following the steps mentioned in this KB.

  • If you find that your version needs updating, then carry out the steps on how to manually update BEST, explained in this KB.

Important

These mandatory updates need to be done by November 2021 release for GravityZone Control Center.

2. Sandbox Analyzer Cloud

All Bitdefender Endpoint Security Tools agents will be affected as long as they are installed on any Windows version prior to Windows 10.

To avoid potential problems related to the endpoint legacy versions, you will need to follow the steps mentioned above for upgrading your BEST version.

An upgrade for your on-premises console is also needed in order to avoid issues in the communication with the cloud services. To do this, follow the indications mentioned in this KB.

Important

These mandatory changes need to be done before the next Sandbox release (29th of January 2022).

3. Event-push service

In order to avoid any issues, we recommend you switch to TLS 1.2 and configure the new ciphers on the server that receives information from the event-push service.

Important

These mandatory configurations need to be done by the end of March 2021.

4. Any legacy client running older TLS versions that connects to the console

Potential issues will be avoided if you upgrade your clients to TLS 1.2 and configure the new ciphers.

Supported cipher modes

As of October 2022, Bitdefender supports the following cipher modes:

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES256-GCM-SHA384

  • DHE-RSA-AES128-GCM-SHA256

  • DHE-RSA-AES256-GCM-SHA384

  • DHE-DSS-AES128-GCM-SHA256

  • DHE-DSS-AES256-GCM-SHA384

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384