![]() NGINX NGINX may also be configured in multiple places. The last step is to restart the Apache service: This tells Apache to enable all protocols, but disable SSLv2, SSLv3, TLS 1.0 and TLS 1.1. SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 In your configuration file(s), find the entry "SSLProtocol" and modify it to look like: On Red Hat / CentOS based systems: /etc/httpd/sites-enabled/ On Debian / Ubuntu based systems: /etc/apache2/sites-enabled/ If it is configured in a virtual host, the configuration files will generally be: On Red Hat / CentOS based systems: /etc/httpd/conf/nf On Debian / Ubuntu based systems: /etc/apache2/nf The default Apache configuration file can be found: Disabling SSLv2, SSLv3, TLSv1, and TLSv1.1ĭepending on your configuration, this may need to be changed in multiple locations. For this reason, you should disable SSLv2, SSLv3, TLS 1.0 and TLS 1.1 in your server configuration, leaving only TLS protocols 1.2 and 1.3 enabled. Over the years vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. This is also where a server will provide its digital certificate to a connecting client. During this handshake the client and server will work out what mutual ciphers and hash algorithms are supported. A "handshake" is done at the start of a TLS or SSL connection. Under this setting, although it seems that we will use the TLS 1.2 or 1.3 (depending on the version of curl library), in case we may still send with TLS 1.0/1.1, we would like to know after the deprecation of TLS 1.0/1.1 on April 13, will the request be fallback to use TLS 1.2 or 1.Introduction Secure Socket Layer (SSL) and Transport Layer Security (TLS) are both cryptographic protocols providing communication security over a network for example a client connecting to a web server. ![]() We are using the curl library to send API to dropbox with the setting of CURL_SSLVERSION_TLSv1. Also, do you have any recommended way to test on which TLS version our app is really using?Ģ. ![]() If receiving this mail is a proof of using deprected TLS protocol version by our app, then the only possible reason may originate from some of our customers who still uses older version of our app, which may be kind of wierd. ![]() Does that mean our app did make calls using a deprecated TLS protocol version so that we received this mail? Or, is this just a notification regardless of whether our app communicates with deprecated TLS protocol version?īy testing with our app, it seems that the latest version of our app uses the TLS 1.2 and 1.3 protocol version. have recently made calls to the Dropbox API using a deprecated TLS protocol version."ġ. We have received the mail regarding to this issue, stating that: So how can I run a test to know for sure? Is there a way I can simulate April 13th now? Or monitor traffic? The e-mail I got from Dropbox has got me worried. ![]() But I don't trust this as proof that my apps are not using the deprecated protocol. And the iOS code uses cocopods and references ObjectiveDropboxOfficial and a README.MD that says " The Official Dropbox Objective-C SDK for integrating with Dropbox " which should be OK too. My inspection of the Android code shows the external library of :dropbox-core-sdk:3.1.5, which should be OK. I suppose it is possible that some users of our apps have not updated in all that time, but I would like to know if there is any test I could run to see whether or not the latest versions of my apps are using the deprecated protocol. I received an e-mail from Dropbox warning that " your app(s) TuneLab Tuning Files have recently made calls to the Dropbox API using a deprecated TLS protocol version." I thought we had updated both our iOS and Android versions over a year ago. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |