Disable TLS 1.0

If you are having a problem using Vault, post a message here.

Moderator: SourceGear

Post Reply
Cylosoft
Posts: 6
Joined: Wed Feb 19, 2014 12:51 pm

Disable TLS 1.0

Post by Cylosoft » Sun Apr 24, 2016 3:29 pm

Does Vault work with TLS 1.0 disabled?

I used IIScrypto to disable. The Vault web admin works. Vault web service works in browsers. The Vault client always says:
Unable to connect to https://<myserver.removed>/VaultService. No server was found at the specified URL. Please verify your network settings using the Options dialog under the Tools menu in the Vault GUI Client. Web Exception: The underlying connection was closed: An unexpected error occurred on a send.

Beth
Posts: 8550
Joined: Wed Jun 21, 2006 8:24 pm
Location: SourceGear
Contact:

Re: Disable TLS 1.0

Post by Beth » Mon Apr 25, 2016 8:27 am

Vault doesn't currently work with TLS 1.0 disabled. I have received your email and will be discussing this further with developers.
Beth Kieler
SourceGear Technical Support

Cylosoft
Posts: 6
Joined: Wed Feb 19, 2014 12:51 pm

Re: Disable TLS 1.0

Post by Cylosoft » Mon Apr 25, 2016 9:37 am

Due to PCI requirements June 30 is the last day for TLS 1. Basically the entire world is working on dropping it. We need some time to be out in front of it.

Thanks for looking into it with your devs.

Beth
Posts: 8550
Joined: Wed Jun 21, 2006 8:24 pm
Location: SourceGear
Contact:

Re: Disable TLS 1.0

Post by Beth » Mon Apr 25, 2016 1:54 pm

Security is paramount for Vault, and SourceGear is not dismissing concerns over the use of TLS 1.0 within Vault's implementation of SSL connectivity. We understand PCI DSS has updated their recommendation (http://www.eweek.com/security/companies ... liant.html) and suggests discontinuing use of TLS 1.0 by June of 2018. We are currently researching the issues and will update Vault with support for newer versions of TLS in an future release well before that date.

In the meantime, at this time Microsoft's TLS implementation within IIS has been patched against any of the known reported vulnerabilities. Please disable SSL2 and SSL3 for the IIS Server which is hosting the Vault Server, and ensure the Operating System for the Vault Server is up to date with the latest security patches from Microsoft.
Beth Kieler
SourceGear Technical Support

Cylosoft
Posts: 6
Joined: Wed Feb 19, 2014 12:51 pm

Re: Disable TLS 1.0

Post by Cylosoft » Mon Apr 25, 2016 2:06 pm

The original date was June 2016. Yes it got pushed back to 2018.

But we use Trustwave and most of our customers do. They started failing sites a year ago for supporting TLS 1.0. You had to put a plan in place (saying when you'll fix it) and file it with them to get an exemption.

Last week we had a customer fail TLS 1.0 and so in putting in the exemption request I asked them if the deadline had moved beyond June 30, 2016 and they said no.

The support response could be wrong. Or they could have decided to not move the date to pass their own PCI scans. I guess we can wait and see. Trustwave is huge and for us we have to pass it.

Beth
Posts: 8550
Joined: Wed Jun 21, 2006 8:24 pm
Location: SourceGear
Contact:

Re: Disable TLS 1.0

Post by Beth » Mon Apr 25, 2016 2:51 pm

How does Trustwave relate to Vault? We aren't familiar enough with Trustwave, plus they have a lot of products. Knowing which one you are using might help.

Or is it a case of where your customers running Vault and you connect to them?

From what we can see right now, the change would require completely dropping the 2.0 .Net framework, which will require a lot of other changes to happen at the same time.
Beth Kieler
SourceGear Technical Support

Cylosoft
Posts: 6
Joined: Wed Feb 19, 2014 12:51 pm

Re: Disable TLS 1.0

Post by Cylosoft » Mon Apr 25, 2016 3:05 pm

Trustkeeper is the product. It does PCI compliance. It seems like nearly every merchant provider requires it. Comodo HackerGuardian seems to be the only other compliance product I see regularly.

If you have a merchant account and don't pass TrustKeeper scans you pay fines.

We make all of our servers pass it for several reasons. One is just to give our customers piece of mind. Another is a lot of larger companies contracts have started to require the software dev pass PCI compliance or something similar. So we have contracts that would require our Vault server pass a scan and be compliant.

I'm going to contact Trustwave again to see what the deal is.

You might look at this https://support.microsoft.com/en-us/kb/3135244 There is a hotfix for .net 2 in the client components section. I'd assume you'd have to get customers to install it though. So it would be a tough sell to just do for everyone. Maybe it's a setting in Vault. So customers who want to run without TLS 1 can and they would need to install the right hotfixes.

Thanks for looking at it.

Beth
Posts: 8550
Joined: Wed Jun 21, 2006 8:24 pm
Location: SourceGear
Contact:

Re: Disable TLS 1.0

Post by Beth » Mon Apr 25, 2016 3:37 pm

Thanks for the link, but that is for SQL Server. Our client doesn't connect directly to the SQL Server. Our client connects to IIS.
Beth Kieler
SourceGear Technical Support

Cylosoft
Posts: 6
Joined: Wed Feb 19, 2014 12:51 pm

Re: Disable TLS 1.0

Post by Cylosoft » Mon Apr 25, 2016 4:10 pm

Yeah I'm well aware of the web service. I even mentioned it right out of the gate as it appeared to work in a browser. But for all I know when the client app connects the web service which is a client to sql at that point isn't working. I don't know where you have this legacy code hanging around. Sorry for sending any links sounds like you all have this covered and we can look forward to an update in a couple of years.

jclausius
Posts: 3702
Joined: Tue Dec 16, 2003 1:17 pm
Location: SourceGear
Contact:

Re: Disable TLS 1.0

Post by jclausius » Tue Apr 26, 2016 7:05 am

Cylosoft wrote:...and we can look forward to an update in a couple of years.
It is understood the bind you're in. However, the problem is a bit more complicated due to some internal libraries used between all of the Vault clients and the HTTP web requests. It is going to take some time to engineer a solution, and still allow the shared libraries to operate.

But support for TLS 1.1/1.2 won't take anywhere near 24 months. It is hard to give an exact date because we haven't thoroughly researched all options on how to resolve the issue, and still maintain a single code base. But tentatively, this should be sorted out in the next major release of Vault.
Jeff Clausius
SourceGear

Post Reply