I am accessing SoftLayer services but all of a sudden this error message was thrown out and all our services went down. Tried many methods online but none of which works. I guess it should be an expired SoftLayer certificated issue. Any comments? Thanks.
That issue might be due to the TLS version you are currently using, there was a notification about this, check https://softlayer.github.io/release_notes/2018/20180301/ for more information, versions 1.0 and 1.1 will not be supported anymore as of this past March 1.
I recommend you to upgrade to Java8 as it has TLS 1.2 version by default, there are also ways to set TLS versions to 1.2 or higher in java 7, hope it helps.
Related
Recently, we have encountered a problem while installing one of our applications for a customer. During installation the application needs to perform some requests to our cloud service and we realised it could not establish HTTPS connection: the very TLS handshake failed. After researching a bit we found the server was a Windows Server 2008 which does not support TLS v1.2, which is the minimum required to connect to our servers. There are some workarounds (this one, for instance) but none of them worked. In addition, we cannot install any update to that windows due to customer policies.
While looking for a solution, using wireshark, we noticed that our program tried to connect using TLS v1.2 and failed, but Chrome browser was able to connect to the same cloud server using TLS v1.3, which is not even supported in Windows Server 2008. From that we deduced that Chrome is likely using its own TLS stack to establish the connection.
I am wondering that if Chrome is doing that, we should also be able to do the same. The application is developed in .Net Core and I have googled a lot looking for information on how to do this, and I've found lots of information on how to configure TLS certificates in .Net Core, but none on replacing the TLS stack with, say, OpenSSL or others. I do know this is possible in Java, so is it possible to replace the TLS stack in .Net core?
.NET Core itself doesn't let you plug in your own crypto stack.
You pointed to Bouncy Castle as an example of Java letting you use an alternate crypto stack; there's a port of Bouncy Castle to C#/.NET as well.
Their source code has a test case that demonstrates how to write a TLS client using Bouncy Castle:
https://github.com/bcgit/bc-csharp/blob/master/crypto/test/src/crypto/tls/test/TlsClientTest.cs
I'm using Liferay 6.2 CE GA2 Framework which is running on JDK7.
While calling Discourse Forum API using Apache httpclient it throws exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure.
I think this is because*JDK7 doesn’t implement any GCM cipher suite.
And Discourse Forum is configured with SSL Protocol: TLSv1.2 and Strong Cipher Suites: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
How to resolve this issue? Or is there any other way to call Discourse API from Java platform.
Thanks,
Saurabh Khandelwal
First of all: Before you fix this problem, you really need to upgrade and patch.
Which also might bring you closer to a solution: The compatibility matrix for Liferay EE 6.2 lists Java 8 as compatible - I'm not sure when this came in, but there's a good chance that the later GA versions in CE are also compatible. With that, you should have a newer set of TLS algorithms.
Otherwise you'd have to ask the Discourse admins to enable some algorithm that's compatible with your Java version.
(Disclaimer: I've not checked available algorithms in Java7, but it sounds like an unsupported algorithm is indeed a plausible root cause)
Did I mention that you really should update urgently?
One of our payment team has mentioned us to upgrade the TLs 1.0 version to TLS 1.2 as they are making the security measures. If we haven't updated we will be facing the issues with the payment in our website. Please let us know how this is done from a Cpanel/WHM server.
Thanks
I encountered the same problem, and found the solution...
In WHM, search for "cPanel Web Services Configuration" located under "Service Configuration".
You'll want to add :!TLSv1 at the end of the protocol string. This forces it to use newer version.
Ideally you'll want to test this on a development server 1st, as it may break your SSL/payment processing if the server is not up to date and cannot use the newer version. There is fallbacks, but it's always best to test 1st!
While you are here as well, you can harden your ciphers. Great tutorial on this can be found here:
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
cPanel Official Documentation:
https://documentation.cpanel.net/display/CKB/How+to+Adjust+Cipher+Protocols
Thank you for this. Exactly what I needed :)
"WHM(cPanel) --> Service Configuration --> cPanel Web Services Configuration"
To make life easier on the next guy...
The following settings should pass compliancy:
(Cipher List):
HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128
(TLS/SSL Protocols):
SSLv23:!SSLv2:!SSLv3:!TLSv1:!TLSv11
This will only allow TLSv1.2 connections with the strongest ciphers.
Don't forget to restart cpanel services after making the changes.
Where would we be without our compliance officers keeping the internet safe ;}
I have a Ubuntu 16.04 Server and I would like to know witch version of TLS is already installed on my server.
And how to upgrade to version 1.3 if version version is under v1.3
Thank you
While you don't specify it you are probably asking about the TLS support in your web and/or mail server. For the common servers on Linux the support is implemented with OpenSSL. Since you are using Ubuntu 16.04 you by default have OpenSSL version 1.0.2 which supports TLS up to TLS 1.2. But note that configuration of the servers might cause the actual protocol support to be limited.
There is no official TLS 1.3 yet, i.e. the protocol is still not finalized. Support for TLS 1.3 is expected to be available in OpenSSL 1.1.1 which is still in development.
Sniffing the packets with some application like Wireshark would reveal the information; the protocol version used in a connection is in the ServerHello message or
use http://ssl-checker.online-domain-tools.com tool to verify
I would suggest that you use the SSL test website by Qualys. If you ran your webserver with SSLProtocol +All for just a quick test, it would tell you what SSLProtocols are being served with your pages and a recommendation on which ones should and should not be used.
On a side note, I made a recurring task to test my sites; I found something even today that had changed since I last checked 3 months ago.
https://www.ssllabs.com/ssltest/index.html
We have clients who can be using anything, WindowsXP,Vista,Linux....
Currently our systems support SSLV2 and SSLV3.But, we are planning to disable both SSLV2 and SSLV3 in windows server 2008R2 in favour of TLS 1.2.
Will it have any breaking changes with the end user?I'm worried that If I disable SSLV3 ( and SSLV2) , some of the clients who use windowsXP(for example) might not be able to access my web service.
PS: Tried to find a similar question in stackoverflow, didn't find any. So, posting this as a question. :)
This is one of the scenarios where you will NOT be able to support old clients using insecure protocols and expect to have decent security.
If you have not enabled TLS 1.2 yet, do so.
Some clients do not support TLS 1.2 (e.g., older Android versions). You may need to support TLS 1.0 and 1.1 in addition to 1.2. While not ideal, it is definitely better than supporting SSL 2.0 and 3.0.
Post an announcement indicating that your web service is being upgraded to meet minimum security requirements and set a date for retiring insecure protocols.
Optionally, check your server metrics to see what protocols/ ciphers are used. Since you haven't mentioned your web server, I'm assuming it is IIS, in which case this is not easy[1][2].
Retire SSL 2.0 and SSL 3.0. There will be a few clients who will not be able to connect. Plan to have an answer ready for them. If you have clients running XP and using IE6, they have bigger issues than not being able to access your web service.
While you are at it, run your TLS configuration through an online
scanner like SSL Labs to ensure you fix any other issues.