PART A - Development work for this case has been completed. 1. The change will be available in version: 14.90 2. The following changes were made(Include Database object names, Program classes, and any other relevant information): - Add support for TLS 1.3 and remove SSL3 support when connecting to mail servers
3. Affected Areas: - Sending Emails from LinkSOFT
4. The issue was caused by: - Security compliance
5. Other Relevant Notes: - SSL 3.0 is an outdated and insecure protocol that has been deprecated and should not be used anymore. It is vulnerable to attacks such as POODLE and BEAST. You should only use TLS 1.2 or higher if possible, as they provide stronger encryption and better performance.
6. Next Step (Review and System Test (Developer) -> UAT (Quality) -> Documentation): UAT
PART B - Development Reference (Place descriptor for objects changed):
Additional Notes:
There are different ways to check if a server supports TLS 1.2 or higher, depending on the tools you have access to. Here are some possible methods:
• Use the openssl command to test the connection with different TLS versions. For example, you can run the following commands and see if they succeed or fail:
openssl s_client -connect host.com:443 -tls1_2 openssl s_client -connect host.com:443 -tls1_3
If the connection is successful, you will see a message like this:
SSL handshake has read 1234 bytes and written 456 bytes Verification: OK --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 2048 bit Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 ok ---
If the connection fails, you will see a message like this:
CONNECTED(00000003) 140735254603648:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1544:SSL alert number 40 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 ok ---
• Use the nmap tool with the ssl-enum-ciphers script to scan the server for supported ciphers and protocols. For example, you can run the following command and look for the output section that shows the TLS versions and ciphers:
nmap --script ssl-enum-ciphers -p 443 host.com
The output will look something like this:
PORT STATE SERVICE 443/tcp open https | ssl-enum-ciphers: | TLSv1.2: | ciphers: | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A | compressors: | NULL | cipher preference: server | warnings: | Forward Secrecy not supported by any cipher in use by this host. | TLSv1.3: | ciphers: | TLS_AES_256_GCM_SHA384 (ecdh_x25519) - A | TLS_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A | TLS_AES_128_GCM_SHA256 (ecdh_x25519) - A | compressors: | NULL | cipher preference: server
• Use a web browser to visit the server's website and inspect the certificate details. Depending on the browser, you may need to click on the padlock icon next to the URL bar, or go to the developer tools and look for the security tab. You should be able to see the protocol and cipher used for the connection, as well as other information about the certificate. For example, in Chrome, you can see something like this: |