Support

Support for business applications

Kaspersky Security Center 15 Linux

Configuring Administration Server

Encrypt communication with TLS

Kaspersky Security Center
Нет результатов
Нет результатов
Online Help
FAQ Download Buy Renew Forum Contact support Recovery tools Product videos

Encrypt communication with TLS

May 13, 2024

ID 174316

Get as PDF

To fix vulnerabilities on your organization's corporate network, you can enable traffic encryption by using the TLS protocol. You can enable TLS encryption protocols and supported cipher suites on Administration Server. Kaspersky Security Center Linux supports the TLS protocol versions 1.0, 1.1, 1.2, and 1.3. You can select the required encryption protocol and cipher suites.

Kaspersky Security Center Linux uses self-signed certificates. You can also use your own certificates. Kaspersky specialists recommend using certificates issued by trusted certificate authorities.

To configure allowed encryption protocols and cipher suites on Administration Server:

  1. Run the command line, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the directory where the Administration Server is installed. The default installation path is /opt/kaspersky/ksc64/sbin.
  2. Use the SrvUseStrictSslSettings flag to configure allowed encryption protocols and cipher suites on Administration Server. Execute the following command in the command line under the root account:

    klscflag -fset -pv ".core/.independent" -s Transport -n SrvUseStrictSslSettings -v <value> -t d

    Specify the <value> parameter of the SrvUseStrictSslSettings flag:

    • 4—Only the TLS 1.2 and TLS 1.3 protocols are enabled. Also, cipher suites with TLS_RSA_WITH_AES_256_GCM_SHA384 are enabled (these cipher suites are needed for backward compatibility with Kaspersky Security Center 11). This is the default value.

      Cipher suites supported for the TLS 1.2 protocol:

      • ECDHE-RSA-AES256-GCM-SHA384
      • ECDHE-RSA-AES256-SHA384
      • ECDHE-RSA-CHACHA20-POLY1305
      • AES256-GCM-SHA384 (cipher suite with TLS_RSA_WITH_AES_256_GCM_SHA384)
      • ECDHE-RSA-AES128-GCM-SHA256
      • ECDHE-RSA-AES128-SHA256

      Cipher suites supported for the TLS 1.3 protocol:

      • TLS_AES_256_GCM_SHA384
      • TLS_CHACHA20_POLY1305_SHA256
      • TLS_AES_128_GCM_SHA256
      • TLS_AES_128_CCM_SHA256
    • 5—Only the TLS 1.2 and TLS 1.3 protocols are enabled. For the TLS 1.2 and TLS 1.3 protocols, the specific cipher suites listed below are supported.

      Cipher suites supported for the TLS 1.2 protocol:

      • ECDHE-RSA-AES256-GCM-SHA384
      • ECDHE-RSA-AES256-SHA384
      • ECDHE-RSA-CHACHA20-POLY1305
      • ECDHE-RSA-AES128-GCM-SHA256
      • ECDHE-RSA-AES128-SHA256

      Cipher suites supported for the TLS 1.3 protocol:

      • TLS_AES_256_GCM_SHA384
      • TLS_CHACHA20_POLY1305_SHA256
      • TLS_AES_128_GCM_SHA256
      • TLS_AES_128_CCM_SHA256

    We do not recommend using 0, 1, 2, or 3 as the parameter value of the SrvUseStrictSslSettings flag. These parameter values correspond to insecure TLS protocol versions (TLS 1.0 and TLS 1.1) and insecure cipher suites, and are used only for backward compatibility with earlier Kaspersky Security Center versions.

  3. Restart the following Kaspersky Security Center Linux services:
    • Administration Server
    • Web Server
    • Activation Proxy

As a result, traffic encryption by using the TLS protocol is enabled.

You can use the KLTR_TLS12_ENABLED and KLTR_TLS13_ENABLED flags to enable the support of the TLS 1.2 and TLS 1.3 protocols, respectively. These flags are enabled by default.

To enable or disable the support of the TLS 1.2 and TLS 1.3 protocols:

  1. Run the klscflag utility.

    Run the command line, and then change your current directory to the directory with the klscflag utility. The klscflag utility is located in the directory where the Administration Server is installed. The default installation path is /opt/kaspersky/ksc64/sbin.

  2. Execute one of the following commands in the command line under the root account:
    • Use this command to enable or disable the support of the TLS 1.2 protocol:

      klscflag -fset -pv ".core/.independent" -s Transport -n KLTR_TLS12_ENABLED -v <value> -t d

    • Use this command to enable or disable the support of the TLS 1.3 protocol:

      klscflag -fset -pv ".core/.independent" -s Transport -n KLTR_TLS13_ENABLED -v <value> -t d

    Specify the <value> parameter of the flag:

    • 1—To enable the support of the TLS protocol.
    • 0—To disable the support of the TLS protocol.

Kaspersky Endpoint Security for Linux: High protection without performance compromising
Detects and blocks advanced threats. Buy as part of Endpoint Security for Business Advanced.
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.