Encrypt communication with SSL/TLS

To fix vulnerabilities in your organization's corporate network, you can enable traffic encryption using SSL/TLS. You can enable SSL/TLS on Administration Server, iOS MDM Server, Kaspersky Security Center 11 Web Console, and Self Service Portal. Kaspersky Security Center supports SSL v3 as well as Transport Layer Security (TLS v1.0, 1.1, and 1.2). You can select encryption protocol and cipher suites. Kaspersky Security Center uses a self-signed certificates. Additional configuration of the iOS devices is not required. You can also use your own certificates. Kaspersky Lab specialists recommend to use certificates issued by trusted certificate authorities.

Administration Server

To configure allowed encryption protocols and cipher suites on the Administration Server:

  1. Open the system registry of the client device that has Administration Server installed (for example, locally, using the regedit command in the Start → Run menu).
  2. Go to the following hive:
    • For a 64-bit system:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\.core\.independent\Transport

    • For a 32-bit system:

      HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\.core\.independent\Transport

  3. Create a key with the SrvUseStrictSslSettings name.
  4. Specify DWORD as the key type.
  5. Set the key value:
    • 0—All of the supported encryption protocols and cipher suites are enabled
    • 1—SSL v2 is disabled

      Cipher suites:

      • AES256-GCM-SHA384
      • AES256-SHA256
      • AES256-SHA
      • CAMELLIA256-SHA
      • AES128-GCM-SHA256
      • AES128-SHA256
      • AES128-SHA
      • SEED-SHA
      • CAMELLIA128-SHA
      • IDEA-CBC-SHA
      • RC4-SHA
      • RC4-MD5
      • DES-CBC3-SHA
    • 2—SSL v2 and SSL v3 are disabled (default value)

      Cipher suites:

      • AES256-GCM-SHA384
      • AES256-SHA256
      • AES256-SHA
      • CAMELLIA256-SHA
      • AES128-GCM-SHA256
      • AES128-SHA256
      • AES128-SHA
      • SEED-SHA
      • CAMELLIA128-SHA
      • IDEA-CBC-SHA
      • RC4-SHA
      • RC4-MD5
      • DES-CBC3-SHA
    • 3—only TLS v1.2.

      Cipher suites:

      • AES256-GCM-SHA384
      • AES256-SHA256
      • AES256-SHA
      • CAMELLIA256-SHA
      • AES128-GCM-SHA256
      • AES128-SHA256
      • AES128-SHA
      • CAMELLIA128-SHA
  6. Restart the Kaspersky Security Center 11 Administration Server service.

Kaspersky Security Center 11 Web Console and Self Service Portal

To configure allowed encryption protocols on the Kaspersky Security Center 11 Web Console and Self Service Portal:

  1. Open the httpd.conf file stored in the Apache Server work folder.

    For example, "<Disk>:\Program Files (x86)\KSC Apache 2.4\Apache2.4\conf\httpd.conf" with Notepad++

  2. Add lines 3 and 4 to IfModule ssl_module section:
    • String 1: <IfModule ssl_module>
    • String 3: SSLEngine on
    • String 4: SSLProtocol all -SSLv2 -SSLv3
    • String N: </IfModule>
  3. Restart the Apache Server service.

To configure allowed cipher suites on the Kaspersky Security Center 11 Web Console and Self Service Portal:

  1. Open the httpd.conf file stored in the Apache Server work folder.

    For example, "<Disk>:\Program Files (x86)\KSC Apache 2.4\Apache2.4\conf\httpd.conf" with Notepad++

  2. Edit string SSLCipherSuite ALL:!3DES:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL.

    For example, to prohibit the use 3DES cipher suites that is considered vulnerable, delete 3DES:! from string:

    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

  3. Restart the Apache Server service.

iOS MDM Server

The connection between the iOS devices and the iOS MDM Server is encrypted default.

To configure allowed encryption protocols and cipher suites on the iOS MDM Server:

  1. Open the system registry of the client device that has iOS MDM Server installed (for example, locally, using the regedit command in the Start → Run menu).
  2. Go to the following hive:
    • For a 64-bit system:

      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0\Conset

    • For a 32-bit system:

      HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Connectors\KLIOSMDM\1.0.0.0\Conset

  3. Create a key with the StrictSslSettings name.
  4. Specify DWORD as the key type.
  5. Set the key value:
    • 2—SSL v3 is disabled (TLS 1.0, TLS 1.1, TLS 1.2 are allowed)
    • 3—only TLS 1.2 (default value)
  6. Restart the Kaspersky Security Center 11 iOS MDM Server service.
Page top