8 years ago
We’d like to inform you that preparations are being made to disable the use of SSLv3 and TLS 1.0/1.1 encryption protocols.
On March 14th, Targetprocess will disable SSLv3 and TLS 1.0/1.1 to enforce TLS 1.2 with strong ciphersuites on all Targetprocess On-Demand servers and other Targetprocess sites. This change will prevent the use of SSLv3 and TLS 1.0/1.1 for accessing Targetprocess services with all connections, in favor of more secure encryption.
TLS 1.2 ensures that a connection to a remote endpoint is routed to the intended destination through encryption and endpoint identity verification. Targetprocess enabled TLS 1.2 for all servers a long time ago, so you’re already protected by TLS 1.2 if you’re using a modern browser, as compromised protocols have been disabled there. However, most servers do not yet enforce TLS 1.2 for compatibility reasons.
Why is this happening?
At Targetprocess, we understand that our customers share their most precious assets with us -- such as project details and roadmaps -- so we take the protection of your data very seriously. In the wake of vulnerabilities in protocols and ciphersuites (such as Poodle, FREAK, Logjam, KCI and Drown), we want to maintain the highest security standards possible to promote the safety of your data, as well as align with industry-wide best practices.
What are the access types where action may be needed?
There are two different channels that require encryption to access Targetprocess:
- Internet browser
- API integrations
An overview of each and their corresponding recommendation for TLS 1.2 compatibility can be found below in Internet Browsers. Your users will experience issues accessing Targetprocess via your browser if non-supported browsers are in use or if you have disabled the supported encryption protocols in the browser.
Testing your browser compatibility
You can find out if your browser is currently vulnerable to common attacks and if it is compatible with TLS 1.2 on the following Qualis page: https://www.ssllabs.com/ssltest/viewMyClient.html If you have TLS 1.2 listed as available, then your browser should not be impacted by this change, and no action is required.
Action Required for Browser Compatibility
If your browser is not compatible with TLS 1.2 after we make this change, you and other users in your company will NOT be able to access Targetprocess. We recommend that you update your browsers to support TLS 1.2 as soon as possible. Please refer to the compatibility guidelines below.
API Integrations
API Integrations are interfaces or applications–including mobile apps and desktop clients–that are separate from Targetprocess, but use Targetprocess data. If you have any API Integrations, please ensure that the TLS 1.2 encryption protocols are enabled in those integrations.
Action Required for API Integrations Compatibility
If your integrations that use inbound connections to Targetprocess do not have TLS 1.2 enabled after we make this change, your integrations may experience disruption. We recommend that you begin planning to support 1.2 as soon as possible. Please refer to the compatibility guidelines below.
Browser Compatibility Notes
Microsoft Internet Explorer (IE)
Review the Enabling TLS 1.1 and TLS 1.2 in Internet Explorer knowledge article for more details.
- Desktop and mobile IE version 11 - compatible with TLS 1.2 by default
- Desktop IE versions 8, 9, and 10 - Compatible only when running Windows 7 or newer, but not by default. Review the Enabling TLS 1.1 and TLS 1.2 in Internet Explorer article to enable TLS 1.2 or higher encryption.
- Windows Vista, XP and earlier are incompatible and cannot be configured to support TLS 1.2.
- Mobile IE versions 10 and below - Not compatible with TLS 1.1 or higher encryption.
- Microsoft Edge - Compatible with TLS 1.2 by default.
Mozilla Firefox
Compatible with the most version, regardless of operating system.
- Firefox 27 and higher - Compatible with TLS 1.2 by default.
- Firefox 23 to 26 -Compatible, but not by default.Use about:config to enable TLS 1.2 by updating the security.tls.version.max config value to 3.
- Firefox 22 and below - Not compatible with TLS 1.2
Google Chrome
Compatible with the most recent version, regardless of operating system.
- Google Chrome 38 and higher - Compatible with TLS 1.2 by default.
- Google Chrome 30 to 37 - Compatible when running on Windows XP SP3, Vista, or newer (desktop), OS X 10.6 (Snow Leopard) or newer (desktop), or Android 2.3 (Gingerbread) or newer (mobile).
- Google Chrome 29 and below - Not compatible with TLS 1.2
Google Android OS Browser
- Android 5.0 (Lollipop) and higher - Compatible with TLS 1.2 by default.
- Android 4.4 (KitKat) to 4.4.4 - May be compatible with TLS 1.2. Some devices with Android 4.4.x may not support TLS 1.2.
- Android 4.3 (Jelly Bean) and below - Not compatible with TLS 1.2.
Apple Safari
- Desktop Safari versions 7 and higher for OS X 10.9 (Mavericks) and higher - Compatible with TLS 1.2 by default.
- Desktop Safari versions 6 and below for OS X 10.8 (Mountain Lion) and below - Not compatible with TLS 1.2.
- Mobile Safari versions 5 and higher for iOS 5 and higher - Compatible with TLS 1.2 by default.
- Mobile Safari for iOS 4 and below - Not compatible with TLS 1.2.
API Compatibility Notes
Java
Compatible with the most recent version, regardless of operating system
- Java 8 (1.8) and higher - Compatible with TLS 1.2 by default.
- Java 7 (1.7) - Enable TLS 1.2 using the https.protocols Java system property for HttpsURLConnection. To enable TLS 1.2 on non-HttpsURLConnection connections, set the enabled protocols on the created SSLSocket and SSLEngine instances within the application source code.
- Java 6 (1.6) and below - Not compatible with TLS 1.2
.NET
Compatible with the most recent version when running in an operating system that supports TLS 1.2.
- .NET 4.6 and higher -Compatible with TLS 1.2 by default.
- .NET 4.5 to 4.5.2 - .NET 4.5, 4.5.1, and 4.5.2 do not enable TLS 1.2 by default. Two options exist to enable these, as described below.
Option 1:
.NET applications may directly enable TLS 1.2 in their code by setting System.Net.ServicePointManager.SecurityProtocol to enable SecurityProtocolType.Tls12. The following C# code is an example:
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
Option 2:
It may be possible to enable TLS 1.2 by default without modifying the source code by setting the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv4.0.30319" and "HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoft.NETFrameworkv4.0.30319". Although the version number in those registry keys is 4.0.30319, the .NET 4.5, 4.5.1, and 4.5.2 frameworks also use these values. Those registry keys, however, will enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. It is thus advisable to test this change before deploying it to your production servers. This is also available as a registry import file. These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value.
- .NET 4.0 - .NET 4.0 does not enable TLS 1.2 by default
To enable TLS 1.2 by default, it is possible to set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv4.0.30319" and "HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoft.NETFrameworkv4.0.30319". Those registry keys, however, will enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. We recommend testing this change before deploying it to your production servers. This is also available as a registry import file. These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value.
- .NET 3.5 and below - Not compatible with TLS 1.1 or higher encryption
Python
Compatible with the most recent version when running on an operating system that supports TLS 1.2.
- Python 2.7.9 and higher - Compatible with TLS 1.2 by default.
- Python 2.7.8 and below - Not compatible with TLS 1.2
Ruby
Compatible with the most recent version when linked to OpenSSL 1.0.1 or higher.
- Ruby 2.0.0 - TLS 1.2 is enabled by default when used with OpenSSL 1.0.1 or higher. Using the :TLSv1_2 symbols with an SSLContext's ssl_version helps ensure that TLS 1.1 or earlier is disabled.
- Ruby 1.9.3 and below The :TLSv1_2 symbol does not exist in 1.9.3 and below, but it is possible to patch Ruby to add that symbol and compile Ruby with OpenSSL 1.0.1 or higher.
Add comment