TLS 1.2 Support | Search |
NowSMS Support Forums ⬆ NowSMS Support - SMS Issues ⬆ Archive through April 13, 2018 ⬆ |
◄ ► |
Author | Message | |||
Mathew Mathachan Frequent Contributor Username: Mathewm Post Number: 116 Registered: 04-2011 |
Hi, As per new security advisory, they are allowing only TLS1.2 on the server. Does nowSMS support TLS 1.2 when we enable SSL/TLS? Also, on the call backs , does nowSMS support TLS1.2 as a client? Mathew | |||
Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 8164 Registered: 10-2002 |
Hi Mathew, TLS 1.2 is supported, both as client and server. However, there is currently no way to disable older protocols. We have recently completed an extensive review of current best practices for SSL/TLS, and compatibility with various web browsers, and will be including an updated SSL/TLS driver in an update that is expected to be released in the next few weeks (first half of April). In this update: * SSL 3 will be disabled. TLS 1.0 thru 1.2 will be supported with options to disable TLS 1.0 and/or TLS 1.1. * Known weak ciphers have been disabled. (Supported ciphers can be manually configured if desired.) * Session caching and session tickets enabled * RC4 disabled * ECDH key reuse disabled * Forward secrecy enabled Basically, we implemented all of the changes necessary to get an "A" grade from ssllabs.com. At this point, we're not sure if the new SSL/TLS driver will be compatible with older versions of NowSMS, or if it will require the new version. I will point out that in the 2016 version, there is some capability to specify what ciphers are supported by creating a CIPHER.INI file as described in this thread: https://support.nowsms.com/discus/messages/1/73465.html (Note that it is necessary to restart the service after making any changes.) -bn Bryce Norwood Now SMS/MMS Support | |||
Des - NowSMS Support Board Administrator Username: Desosms Post Number: 5816 Registered: 08-2008 |
Hi Mathew, I wanted to advise that the updated release that Bryce mentioned is now available for download: https://www.nowsms.com/nowsms2017 Here are the SSL/TLS related notes: We have recently completed an extensive review of current best practices for SSL/TLS, and web browser compatibility issues. The SSL/TLS driver has been updated to be based on OpenSSL 1.0.2k, and implements best practices to enable an “A” grade from sslLabs.com. Key changes:
To disable TLS 1.0 and 1.1, create a CIPHER.INI file with the following content: [Cipher] DisableTLS1.0=Yes DisableTLS1.1=Yes To modify supported ciphers, use an OpenSSL format cipher string in a Cipher= parameter setting of this same file. Use care when modifying cipher support, as proper configuration can be complex. As a starting point, the default cipher string for NowSMS 2017 is: Cipher=!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:EECDH+ECDSA+AESGCM:EECDH+aR SA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA 256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:DHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!aNULL:!eNUL L:!RC4:!LOW:!MD5:!EXP:!PSK:!SRP:!DSS I can confirm that this driver will also work with the 2016 release (but not earlier versions) by replacing smsssl.dll. It has been uploaded to https://www.nowsms.com/download/smsssl2017.zip -- Des NowSMS Support | |||
Mathew Mathachan Frequent Contributor Username: Mathewm Post Number: 117 Registered: 04-2011 |
Thanks Des for the update. Do we have to reissue the self signed certificates? Does this mean that older servers still with SSL3 will not be supported? Mathew | |||
Des - NowSMS Support Board Administrator Username: Desosms Post Number: 5818 Registered: 08-2008 |
Hi Mathew, No certificate should need to be reissued, unless the original CSR was generated by a version earlier than a 2016 NowSMS release. Prior to 2016, the CSR and self-signed cert used SHA-1 and RSA 1024. The 2016 release began using SHA-256 and RSA 2048 (reference https://www.nowsms.com/ssl-sha1-deprecation-and-sha256-support).
At this point, yes. We will re-evaluate if we have customers that need it. However, note that the current versions of all the major web browsers no longer support SSL 3.0. So any such servers have bigger problems than NowSMS. -- Des NowSMS Support | |||
Mathew Mathachan Frequent Contributor Username: Mathewm Post Number: 118 Registered: 04-2011 |
Hi, We have a customer who is on v2014.06.30 and have enabled SSL (using a nowSMS generated certificate). They have 2 major applications using this to send out messages. To move to v2017.04007, what are the precautions to be taken? Can we install v2017 over the existing v2014? How about the certificate? I presume we need to generate again and import to applications. What is the best way to reduce the downtime? Please advise Mathew | |||
Des - NowSMS Support Board Administrator Username: Desosms Post Number: 5827 Registered: 08-2008 |
Hi Mathew, Sorry for the delay in response. The first thing I would recommend is backing up *.EXE and *.DLL in the NowSMS directory. Also, because of version differences, back up the html and webadmin subdirectories. If anything is a problem with the update, you can quickly roll back by stopping the services, and restoring these files. The only consequence of the update is that SSL 3 is no longer supported, and any clients that do not support TLS will not be able to connect. The existing SSL cert will continue to work, however, it is not considered secure as it uses SHA-1 and RSA 1024. Current best practices recommend SHA-256 and RSA 2048 for the certificate, which is what NowSMS 2017 will generate. My recommendation would be to update NowSMS first, with no changes to the certificate. Once that is done with no problems, then look at updating the certificate. This link explains how to manually backup and restore the certificate files: https://www.nowsms.com/ssl-sha1-deprecation-and-sha256-support -- Des NowSMS Support | |||
Mathew Mathachan Frequent Contributor Username: Mathewm Post Number: 119 Registered: 04-2011 |
Hi, We are planning to migrate a customer from v2014.06 to v2017.04.07 mainly for the TLS1.2 support. Do we need to get the license updated? Mathew | |||
Mathew Mathachan Frequent Contributor Username: Mathewm Post Number: 120 Registered: 04-2011 |
Hi, Appreciate your attention Mathew | |||
Bryce Norwood - NowSMS Support Board Administrator Username: Bryce Post Number: 8244 Registered: 10-2002 |
HI Mathew,, I can’t answer your question, because I don’t know your license details.. It depends on whether or not you subscribe to our maintenance and support updates. Each license has a maintenance expiration date, which is initially one year from purchase date. Updates released prior to that expiration date can be installed. I’d suggest sending an email to nowsms@nowsms.com with license and customer details, and they should get back to you promptly. -bn Bryce Norwood NowSMS/MMS Support |