SSL/TLS Encryption EB website

Reply form our Yammer group:

Dainius Pavilonis 
 
 Disclaimer: I presume this is about the recent push to disable SSL3/TLS1.0 (Enhancement 941333:[Security] TLS firedrill, disable SSL3/TLS1.0). I not 100% confident with below statements - developer comment wanted.

If SSL3/TLS1.0 is disabled, the outcome will depend on eB version and the protocol used by eB Web to communicate with eB Core Server:
 * If eB v15.6 or earlier, then it should have no effect.
 * If eB v16.1-16.6 then it will work/fail depending on primary transport protocol used by eB Core server. TCP protocol(default) will continue working but HTTPS(optional) will fail - eB server won't communicate with eB Web.
 * If eB v16.7.1-16.7.14 then eB server won't communicate with eB Web as it is HTTPS-only.
 * eB v16.7.15 and later supports TLS1.1+. Encryption of higher degree will be used for communitcation over HTTPS if SSL3/TLS1.0 is disabled.

Lambert Brink  in reply to Dainius Pavilonis  
   
This is mostly accurate - it'll depend on exactly what gets modified around TLS/SSL, I'd say the behavior in some earlier eB versions are undefined because whatever settings are being changed here wouldn't have been tested for in the past so the applications may break.

 The one statement we can make is 16.7.15 and later supports TLS1.1-1.2.

Reply form our Yammer group:

Dainius Pavilonis 
 
 Disclaimer: I presume this is about the recent push to disable SSL3/TLS1.0 (Enhancement 941333:[Security] TLS firedrill, disable SSL3/TLS1.0). I not 100% confident with below statements - developer comment wanted.

If SSL3/TLS1.0 is disabled, the outcome will depend on eB version and the protocol used by eB Web to communicate with eB Core Server:
 * If eB v15.6 or earlier, then it should have no effect.
 * If eB v16.1-16.6 then it will work/fail depending on primary transport protocol used by eB Core server. TCP protocol(default) will continue working but HTTPS(optional) will fail - eB server won't communicate with eB Web.
 * If eB v16.7.1-16.7.14 then eB server won't communicate with eB Web as it is HTTPS-only.
 * eB v16.7.15 and later supports TLS1.1+. Encryption of higher degree will be used for communitcation over HTTPS if SSL3/TLS1.0 is disabled.

Lambert Brink  in reply to Dainius Pavilonis  
   
This is mostly accurate - it'll depend on exactly what gets modified around TLS/SSL, I'd say the behavior in some earlier eB versions are undefined because whatever settings are being changed here wouldn't have been tested for in the past so the applications may break.

 The one statement we can make is 16.7.15 and later supports TLS1.1-1.2.

Hi Carma,

I have proceeded with turning off the below protocols ciphers and Key Exchange Algorithms because there are out off date, and I left TLS 2.1 on. But this has made the websites inaccessible, I had to turn them back on. We are currently using EB: 16.6.1.115.  I guess this is what Lambert was referring to.

Ciphers: RC4 128/128   and  Triple DES 168
KEY Exchange Algorithms: Diffie-Hellman
Protocols: SSL 2.0  / SSL 3.0 / TLS 1.0 / TLS 1.1 /

Will some clear test be running soon to confirm what precisely needs to be turn on/off please?

Thanks
Steph

Development is busy with this. Not sure when it will be tested.