Michael Shaheen

Blocking TLS v1.1 and earlier in SugarCloud

Blog Post created by Michael Shaheen Employee on Jul 10, 2019

We intend to disable support for TLS v1.1 and older in the SugarCloud. This action is consistent with the rest of the industry. It may impact some Sugar integrations that connect to the SugarCloud. If you are hosting Sugar on-site, you should consider taking similar steps to disable TLS v1.1 and earlier on your web servers.

 

Read on to learn more.

TLS/SSL Vulnerabilities

The SSL (“Secure Sockets Layer”) protocol was initially invented by Netscape back in the mid-1990s as a method for securing communications over a computer network. This protocol provides the “S” in HTTPS which is used to secure all HTTP traffic to Sugar web servers. As you might expect with 25 year old security technology, there’s been quite a few revisions and improvements to the original concept over time. In fact, SSL v3.0 came out in 1996 which was only a couple years after SSL itself was first invented. SSL was later succeeded by TLS (“Transport Layer Security”) which itself has seen several iterations.

 

Protocol

Published

Status

SSL 1.0

Unpublished

Unpublished

SSL 2.0

1995

Deprecated in 2011 (RFC 6176)

SSL 3.0

1996

Deprecated in 2015 (RFC 7568)

TLS 1.0

1999

Deprecation planned in 2020

TLS 1.1

2006

Deprecation planned in 2020

TLS 1.2

2008

TLS 1.3

2018

Courtesy of Wikipedia

 

With most technology, the penalty for not adopting the latest and greatest is mostly FOMO (“fear of missing out”). But cryptographic protocols are used for target practice by white and black hat wearing security researchers the world over. This means that using out of date cryptographic protocol compounds FOMO with FOLE (“fear of losing everything”).

 

The value of a TLS/SSL protocol is inversely proportional to the number of holes that have been punched into it. Some of these holes are exploits that go by the name of POODLE and BEAST. At the same time, the industry has been continuously adding better and stronger encryption protocols in response.

 

The industry is dropping support of old TLS versions

SSL is REALLY old, so hopefully nobody is still using this. However, there is still plenty of code out there using older versions of TLS. The PCI Data Security Standard requires all connections to use TLS v1.1 or higher while strongly recommending TLS v1.2 or higher. Even the browser vendors who are loathe to drop features that could impact website compatibility (and market share) have agreed to drop support for TLS v1.0 and v1.1 in 2020.

 

As a result, we are considering the right time to disable support for TLS v1.1 and older for connections to the SugarCloud. This may impact some Sugar integrations that connect to the SugarCloud as we look to stay in step with the rest of the industry.

 

Make sure your REST API integrations are using TLS v1.2+

If you are using a modern web browser, then it is unlikely that you will run into any problems connecting to Sugar instances. However, some REST API integrations that are using old client libraries or runtimes are liable to use these older protocols. Basically, if you are running 10+ year old software in your integration then you will likely have some of these problems below.

 

In particular, please take extra care if you are using any of the following technology with your Sugar integration.

 

Client

Preferred Runtime

Apache HttpComponents

Use latest Java 8 or greater

RestSharp

Use latest .NET 4.7 or greater

cURL and OpenSSL (PHP)

Use OpenSSL 1.0.x or greater (PHP 7.1 or greater)

 

If you aren’t sure, you can use a network analyzer to verify the version of TLS that is in use. For example, you can use tcpdump or Wireshark.

 

Take the following steps if you believe your integration is affected.

  • If applicable, upgrade to newer runtime environments for your integrations
    • Ex. Upgrade to Java 8 or newer or to .NET 4.6 or newer
  • Upgrade to latest HTTP client library versions
    • Ex. HttpComponents v4.4.11+ is compatible with TLS v1.3 implementation found in Java 11
  • Configure your HTTP clients to require use of TLS v1.2

How to disable TLS v1.1 and earlier for Sugar on-site installations

You will typically configure the web server with the versions of TLS/SSL that will be allowed by your Sugar instance.

 

For Apache, the allowed versions of TLS can be configured using mod_ssl’s SSLProtocol directive

 

For IIS, the allowed versions of TLS can be configured using TLS Registry Settings.

 

Connections using TLS v1.1 or earlier will break

Only 6% of web traffic in SugarCloud is using an out of date version of TLS. So we are moving aggressively to ensure SugarCloud will only support TLS v1.2+ in the future. 

 

We will provide more updates as we build a timeline for making this change.

Outcomes