Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-49635: Deprecation of TLS 1.1

Auditing and Monitoring Service ,   Authentication Service ,   Privileged Access Service ,   Privilege Elevation Service ,  

5 April,21 at 06:32 PM

Question:  
Why is Centrify deprecating TLS 1.1 support and what is the impact?

Solution:  
The National Institute of Standards and Technology (NIST) and major browsers have deprecated TLS 1.1. TLS, a standard specified by the Internet Engineering Task Force, defines the method by which client and server computers establish a secure connection with one another to protect data that is passed back and forth. TLS is used by a wide variety of everyday applications. 

The information below contains the details of the impact for deprecating TLS 1.1 support. 



General
TLS 1.1 support is being deprecated in order to support our mission to protect customers, provide a secure service, and to align with minimum PCI DSS standards. Centrify will be updating the minimum TLS protocol required to connect to the Centrify Cloud Platform to TLS 1.2 as of the 21.5 release (tentatively scheduled for July 2021). The previous minimum was TLS 1.1.
 
Impact on Connectors

Connectors on older Windows versions must have support for newer TLS protocols enabled. Customers may need to manually update TLS 1.2 older Windows systems. Connectors on systems without TLS 1.2 or higher support will go offline when the connector is upgraded to the 21.5 version.


Connector versions 21.1 and higher running on a Windows 2012 or newer system will attempt to automatically enable TLS 1.2 support. Should TLS 1.2 or higher not be enabled for some reason on a system, please refer to this Microsoft knowledgebase article here. A connector restart is required if a system change is made.

A feature allow customers the ability specify TLS configurations that must not be modified by the connector. The registry parameter is named
connectorProtocolBypassList and found under the String key located in HKEY_LOCAL_MACHINE\Software\Centrify\Cloud. If this is configured on a connector system, connector upgrades will not change these settings. More information on this this parameter here:

 
The parameter is a comma-separated list of TLS version names.  Case is not significant.  Valid values for these names are as follows:
For TLS 1.0:  “TLS”, “TLS10”, or “TLS 1.0”
For TLS 1.1:  “TLS11”, or “TLS 1.1”
For TLS 1.2:  “TLS12”, or “TLS 1.2”

Spaces around the commas are not permitted.  Examples of valid configurations include “TLS11,TLS12” or “TLS 1.1,TLS 1.2”.
 
This configuration does not enable or disable any protocols on its own.  It simply prevents existing system configurations for any specified protocol from being modified by the connector.

Impact on Users
All web browsers used to access the service must support newer TLS protocols. Customers will need to ensure that their browsers support current protocol standards, specifically TLS 1.2. As a courtesy, the below links are provided for detecting browser TLS compatibility: 
i.  https://www.ssllabs.com/ssltest/viewMyClient.html (TLS 1.2 should equal to ‘Yes’)
ii.  https://www.howsmyssl.com (Version should be at least TLS 1.2 and BEAST Vulnerability section should state “GOOD”)
iii. https://caniuse.com/#feat=tls1-2 (Browser versions that support TLS 1.2) 


Windows 7/8 operating systems have TLS version 1.0 enabled by default. These operating systems will need to have TLS version 1.2 enabled. As a courtesy, the below link is provided for enabling 1.2 on Windows 7/8:
https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

Impact on Centrify Mobile Applications
Apple supports TLS 1.2 and above in iOS versions greater than 11 (This is the oldest version Centrify currently support). If your iOS device is running 11.x or older it should be updated to a new version.
For Android devices, the oldest version Centrify support is 4.4 and that uses TLS 1.0/1.1. From Android 5.0 and newer TLS 1.2 is used. 

NOTE - The deprecation of TLS 1.1 does not have a direct impact to the Centrify app on older versions, it will continue to function however the recommendation is to upgrade to a supported version as iOS 11 and Android below 5 will be dropped as supported versions in Privileged Access Service 21.4


Impact on the Centrify Browser Extension
For Internet Explorer, the .NET Framework 4.6.2 supports TLS 1.1 and TLS 1.2. To update to .NET Framework 4.6.2, go here.

There is no impact to the CBE if running .NET framework version 4.6.2 or higher on Internet Explorer. For other browsers checking the .NET framework version is not needed.


Impact on the Centrify Agent for Windows

For Centrify Agent for Windows version prior 3.4.2 (Centrify Infrastructure Services 2017.2) with the MFA feature enabled, customers will need to enable the .NET to support TLS 1.2. This can be done by installing .NET 4.6.2 or by modifying the Windows Registry as follows:[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] 
"SchUseStrongCrypto"=dword:00000001


Impact on Integrations and API Users
C# and PowerShell scripts which integrate using the Cloud Service API’s on certain versions of the .NET runtime will need to explicitly enable newer TLS protocols:

C# :
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
PowerShell: [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12


Impact on ServiceNow App and Ansible Credential Plugin
There is no impact by deprecating TLS 1.1

Impact on Server Suite
For the DirectControl (adclient) software, there is no impact by deprecating TLS 1.1.
libCurl supports TLS 1.2, thus deprecating TLS 1.1 has no impact.
The LDAPproxy component is derived from OpenLDAP and slapd is TLS 1.2 capable.
The DirectAudit collectors support TLS 1.2 connections - although this does NOT preclude TLS 1.1 either.

Additional Consideration
To ensure that your applications continue to function properly with the Centrify Cloud Platform, please consult your application vendors to ensure that they are compatible with TLS 1.2


(All external links provided as a courtesy)