What is the impact of Centrify deprecating TLS 1.0 support?Solution:
The National Institute of Standards and Technology (NIST) deprecated TLS 1.0 for government use. TLS, a standard specified by the Internet Engineering Task Force, defines the method by which client and server computers establish a secure connection with one another to protect data that is passed back and forth. TLS is used by a wide variety of everyday applications.
The Internet Engineering Task Force found vulnerabilities in TLS 1.0. NIST released SP 800-52 Rev. 1
that offers guidance to administrators on how to use the new versions of TLS in their networks.
The below information contains the details from Centrify of the impact for deprecating TLS 1.0. General
In order to support our mission to protect customers, provide a secure service, and to align with minimum PCI DSS standards, Centrify will be updating the minimum TLS protocol required to connect to the Centrify Cloud Platform to TLS 1.1 as of 18.5 (tentatively scheduled for May 19, 2018).
The previous minimum was TLS 1.0. The PCI DSS standards are available here
. Impact on Connectors
Connectors running on machines with Windows Server 2008 R2 or older must have support for newer TLS protocols enabled. The customer may need to manually update TLS 1.1 and 1.2 on the Windows 2008 R2 system The 18.5 release will automatically enabled TLS 1.1 and 1.2 on the Windows 2008 R2 system. If the connector version is at least 18.5 and your connector is running on Windows 2012/2016 system, no direct action is necessary as TLS 1.1 and 1.2 support are enabled automatically. For older connector release versions, you must manually enable support, please refer to here
then restart the connector service.
A connector running without support for newer TLS protocols will go offline when TLS 1.0 support is removed in 18.6.
The 18.5 and 18.6 connector releases explicitly enable TLS versions 1.1 and 1.2 on the connector system. If the connector systems are configured to disable any TLS versions then the upcoming 18.6 hot fix 2 connector release adds a new registry parameter called “connectorProtocolBypassList”
that will allow the ability to specify TLS configurations that must not be modified by the connector. This configuration is a String key located in HKEY_LOCAL_MACHINE\Software\Centrify\Cloud
. The system settings for TLS versions listed in this parameter will be unaffected by the connector.
The 18.6HF2 connector will continue to explicitly enable TLS 1.1 and 1.2 unless this new parameter is set in the registry. The system settings for TLS versions listed in this parameter will be unaffected by the connector. The parameter is a comma-separated list of TLS version names. Case is not significant. Valid values for these names are as follows:For TLS 1.0: “TLS”, “TLS10”, or “TLS 1.0”For TLS 1.1: “TLS11”, or “TLS 1.1”For TLS 1.1: “TLS12”, or “TLS 1.2”
Spaces around the commas are not permitted. Examples of valid configurations include “TLS11,TLS12” or “TLS 1.1,TLS 1.2”
This configuration does not enable or disable any protocols on its own. It simply prevents existing system configurations for any specified protocol from being modified by the connector. Warning
– It is possible to set this configuration in a manner that will disable the connector’s access to the Centrify cloud service or to disable the connector’s auto-update functionality. If TLS 1.0 is part of this configuration then BITS (Background Intelligent Transfer Service) will be unavailable if TLS 1.0 has been disabled at the system level, which may cause the connector auto-update functionality to fail. If TLS 1.1 and 1.2 are part of this configuration and those protocols are disabled or unavailable at on the system then the connector will be unable to communicate with the Centrify cloud service. Impact on Users
All web browsers used to access the service must support newer TLS protocols, to verify your browsers compatibility use it to browse to https://www.ssllabs.com/ssltest/viewMyClient.html
and verify that the “Protocol Features” section lists TLS 1.1 or higher as “Yes”.
Customers will need to ensure that their browsers support current protocol standards, specifically TLS 1.1 and 1.2. As a courtesy, the below links are provided for detecting browser TLS compatibility:i. https://www.ssllabs.com/ssltest/viewMyClient.html
( TLS 1.1 and 1.2 should equal to ‘Yes’)ii. https://www.howsmyssl.com
(Version should be at least TLS 1.1 and BEAST Vulnerability section should state “GOOD”)iii. https://caniuse.com/#feat=tls1-2
( Browser versions that support TLS 1.2)
Windows 7/8 operating systems have TLS version 1.0 enabled by default. These operating systems will need to have TLS version 1.1 or 1.2 enabled. As a courtesy, the below link is provided for enabling TLS 1.1 and 1.2 on Windows 7/8:i. https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-inImpact on Office 365
As of October 31, 2018, Microsoft is planning to discontinue support for Transport Layer Security (TLS) versions 1.0 and 1.1 in Microsoft Office 365. As a courtesy, the following link is provided to prepare for the discontinuation of TLS 1.0 and 1.1:i. https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365Impact on the Centrify Browser Extension
For Internet Explorer, customers would need to upgrade the Centrify Browser Extension to version 18.5 prior to the deprecation TLS 1.0 support in 18.6. TLS 1.1 and 1.2 are not supported by older .NET versions, therefore we’ve added a dependency on .NET 4.6.2 to the Internet Explorer CBE for 18.5.
Customers will need to upgrade to .NET 4.6.2 for the dependency as part of installing 18.5 CBE for Internet Explorer. The .NET Framework 4.6.2 supports TLS 1.1 and TLS 1.2. To update to .NET Framework 4.6.2, go here
.Impact on the Centrify Agent for Windows
For Centrify Agent for Windows version prior 3.4.2 (Centrify Infrastructure Services 2017.2) with the MFA feature enabled, customer will need to enable the .NET to support TLS 1.2. This can be done by installing .NET 4.6.2 or by modifying the Windows Registry as follows:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001Impact on Integrations and API Users
C# and PowerShell scripts which integrate using the Cloud Service API’s on certain versions of the .NET runtime will need to explicitly enable newer TLS protocols:C# : System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;PowerShell: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12Additional Consideration
To ensure that your applications continue to function properly with the Centrify Cloud Platform, please consult your application vendors to ensure that they are compatible with TLS 1.1 or 1.2.
(All external links provided as a courtesy)