Applies To:
Venafi Trust Protection Platform 22.1 and higher
Summary:
Venafi Trust Protection Platform uses outbound SSH communication for the TLS Protect and SSH Protect products for:
TLS Protect
- Agentless Push Provisioning of TLS certificates to target systems
- Onboard Discovery of target systems to find TLS Certificates
- Management of Certificate Trust Stores on target systems
- Daily Installation Validation of TLS certificates to ensure the correct certificate is installed on the expected target system with expected configuration
SSH Protect
- Agentless Discovery of User Private Keys, Server Private Keys, Authorized Key files, and Known Host files
- Agentless rotation of User and Server Private Keys and updating the authorized key and known host files.
- Agentless installation and rotation of SSH Certificates
The available Ciphers, HMACs, Key Exchanges, and Public Keys available to establish a successful SSH connection is dependent upon a number of facts:
- SSH configuration and support of the target system
- Version of Trust Protection Platform (namely are you on 22.1 or higher or 21.4 or lower?)
- Do you have Common Criteria Compliant registry values enabled?
See end of this article for more detail
Information about the Table below: New HMACs, Key Exchanges, and Public Keys that were added in Trust Protection Platform 22.1 are denoted below. These additions are not available for backport or patching to previous versions.
Category |
SSH Identifier |
New in 22.1+ |
CC |
General |
RFC |
Ciphers |
3des-cbc | ✔️ | |||
| aes128-cbc | ✔️ | ✔️ | |||
| aes192-cbc | ✔️ | ||||
| aes256-cbc | ✔️ | ✔️ | |||
| 3des-ctr | ✔️ | ||||
| aes128-ctr | ✔️ | ✔️ | RFC 4344 | ||
| aes192-ctr | ✔️ | ||||
| aes256-ctr | ✔️ | ✔️ | RFC 4344 | ||
HMACs |
hmac-sha2-256 | ✔️ | ✔️ | RFC 6668 | |
| hmac-sha2-256-etm | ✔️ | ✔️ | |||
| hmac-sha2-384 | ✔️ | ||||
| hmac-sha2-512 | ✔️ | ✔️ | RFC 6668 | ||
| hmac-sha2-512-etm | ✔️ | ✔️ | |||
| hmac-sha1 | ✔️ | ||||
Key Exchanges |
curve25519-sha256 | ✔️ | ✔️ | ✔️ | RFC 8731 |
| curve25519-sha256@libssh.org | ✔️ | ✔️ | |||
| curve448-sha512 | ✔️ | ✔️ | RFC 8731 | ||
| ecdh-sha2-nistp256 | ✔️ | ✔️ | ✔️ | RFC 5656 | |
| ecdh-sha2-nistp384 | ✔️ | ✔️ | ✔️ | RFC 5656 | |
| ecdh-sha2-nistp521 | ✔️ | ✔️ | ✔️ | RFC 5656 | |
| diffie-hellman-group18-sha512 | ✔️ | ✔️ | RFC 8268 | ||
| diffie-hellman-group16-sha512 | ✔️ | ✔️ | RFC 8268 | ||
| diffie-hellman-group14-sha256 | ✔️ | ✔️ | RFC 8268 | ||
| diffie-hellman-group14-sha1 | ✔️ | ||||
| diffie-hellman-group1-sha1 | ✔️ | ||||
Public Keys |
ssh-rsa | ✔️ | ✔️ | ||
| rsa-sha2-256 | ✔️ | ✔️ | ✔️ | RFC 8332 | |
| rsa-sha2-512 | ✔️ | ✔️ | ✔️ | RFC 8332 | |
| ecdsa-sha2-nistp256 | ✔️ | ✔️ | RFC 5656 | ||
| ecdsa-sha2-nistp384 | ✔️ | ✔️ | RFC 5656 | ||
| ecdsa-sha2-nistp521 | ✔️ | ✔️ | RFC 5656 | ||
| ssh-ed25519 | ✔️ | ✔️ | RFC 8709 |
Note: In earlier versions of Trust Protection Platform, hmac-sha1 and diffie-hellman-group14-sha1 were enabled in Common Criteria mode. These have been removed from the Common Criteria list in TPP versions 22.1 or higher. Also, hmac-ripemd160 was removed completely in 22.1.
Common Criteria Compliance:
In order to configure Venafi Trust Protection Platform to only use Common Criteria compliant SSH algorithms for outbound SSH communication, you must:
Put the following lines in Windows Notepad and save as a *.reg file
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Venafi\Platform]
"Common Criteria Compliant"=dword:00000001
You must apply the registry file to all Venafi Servers in your environment.
Error Scenario:
If you see an error message similar to the one below, you need to upgrade Trust Protection Platform to 22.1 or higher.
The SSH library failed to connect to {Target System} on port 22, with the Connection Result 9: Failed to negotiate a transport component [diffie-hellman-group14-sha1] [curve25519-sha256]
This message indicates that Trust Protection Platform could not find an algorithm that was supported by both TPP and the remote server.
Comments