Encrypt communication with TLS

To fix vulnerabilities on your organization's corporate network, you can enable traffic encryption by using the TLS protocol. You can enable TLS encryption protocols and supported cipher suites on Administration Server and iOS MDM Server. Kaspersky Security Center supports the TLS protocol versions 1.0, 1.1, 1.2, and 1.3. You can select the required encryption protocol and cipher suites.

Kaspersky Security Center uses self-signed certificates. Additional configuration of the iOS devices is not required. You can also use your own certificates. Kaspersky specialists recommend to use certificates issued by trusted certificate authorities.

Administration Server

To configure allowed encryption protocols and cipher suites on Administration Server:

  1. Run the Windows command prompt by using administrator rights, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the folder where Administration Server is installed. The default installation path is <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.
  2. Use the SrvUseStrictSslSettings flag to configure allowed encryption protocols and cipher suites on Administration Server. Enter the following command:

    klscflag -fset -pv ".core/.independent" -s Transport -n SrvUseStrictSslSettings -v <value> -t d

    Specify the <value> parameter of the SrvUseStrictSslSettings flag:

    • 4—Only the TLS 1.2 and TLS 1.3 protocols are enabled. Also, cipher suites with TLS_RSA_WITH_AES_256_GCM_SHA384 are enabled (these cipher suites are needed for backward compatibility with the previous versions of Kaspersky Security Center). This is the default value.

      Cipher suites supported for the TLS 1.2 protocol:

      • ECDHE-RSA-AES256-GCM-SHA384
      • ECDHE-RSA-AES256-SHA384
      • ECDHE-RSA-CHACHA20-POLY1305
      • AES256-GCM-SHA384 (cipher suite with TLS_RSA_WITH_AES_256_GCM_SHA384)
      • ECDHE-RSA-AES128-GCM-SHA256
      • ECDHE-RSA-AES128-SHA256

      Cipher suites supported for the TLS 1.3 protocol:

      • TLS_AES_256_GCM_SHA384
      • TLS_CHACHA20_POLY1305_SHA256
      • TLS_AES_128_GCM_SHA256
      • TLS_AES_128_CCM_SHA256
    • 5—Only the TLS 1.2 and TLS 1.3 protocols are enabled. For the TLS 1.2 and TLS 1.3 protocols, the specific cipher suites listed below are supported.

      Cipher suites supported for the TLS 1.2 protocol:

      • ECDHE-RSA-AES256-GCM-SHA384
      • ECDHE-RSA-AES256-SHA384
      • ECDHE-RSA-CHACHA20-POLY1305
      • ECDHE-RSA-AES128-GCM-SHA256
      • ECDHE-RSA-AES128-SHA256

      Cipher suites supported for the TLS 1.3 protocol:

      • TLS_AES_256_GCM_SHA384
      • TLS_CHACHA20_POLY1305_SHA256
      • TLS_AES_128_GCM_SHA256
      • TLS_AES_128_CCM_SHA256

    We do not recommend using 0, 1, 2, or 3 as the parameter value of the SrvUseStrictSslSettings flag. These parameter values correspond to insecure TLS protocol versions (the TLS 1.0 and TLS 1.1 protocols) and insecure cipher suites, and are used only for backward compatibility with earlier Kaspersky Security Center versions.

  3. Restart the following Kaspersky Security Center 15.1 services:
    • Administration Server
    • Web Server
    • Activation Proxy

Traffic encryption by using the TLS protocol is enabled.

You can use the KLTR_TLS12_ENABLED and KLTR_TLS13_ENABLED flags to enable the support of the TLS 1.2 and TLS 1.3 protocols respectively. These flags are enabled by default.

To enable or disable the support of the TLS 1.2 and TLS 1.3 protocols:

  1. Run the klscflag utility.

    Run the Windows command prompt by using administrator rights, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the folder where Administration Server is installed. The default installation path is <Disk>:\Program Files (x86)\Kaspersky Lab\Kaspersky Security Center.

  2. Enter the one of the following commands at the Windows command prompt, using administrator rights:
    • Use this command to enable or disable the support of the TLS 1.2 protocol:

      klscflag -fset -pv ".core/.independent" -s Transport -n KLTR_TLS12_ENABLED -v <value> -t d

    • Use this command to enable or disable the support of the TLS 1.3 protocol:

      klscflag -fset -pv ".core/.independent" -s Transport -n KLTR_TLS13_ENABLED -v <value> -t d

    Specify the <value> parameter of the flag:

    • 1—To enable the support of the TLS protocol.
    • 0—To disable the support of the TLS protocol.

iOS MDM Server

The connection between the iOS devices and the iOS MDM Server is encrypted by default.

To configure allowed encryption protocols and cipher suites on the iOS MDM Server:

  1. Open the system registry of the client device with iOS MDM Server installed (for example, locally, using the regedit command in the StartRun menu).
  2. Go to the following hive:
    • For 32-bit systems:

      HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0\Conset

    • For 64-bit systems:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0\Conset

  3. Create a key with the StrictSslSettings name.
  4. Specify DWORD as the key type.
  5. Set the key value:
    • 2—The TLS 1.0, TLS 1.1, and TLS 1.2 protocols are enabled.
    • 3—Only the TLS 1.2 protocol is enabled (default value).
  6. Restart the Kaspersky Security Center iOS MDM Server service.
Page top