Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Issues with TLS 1.2
#1
We have an application written in Delphi XE2 + IntraWeb 14.1.12.  The IWServerController "SSL Version" is set to TLSv12, and "SSL Versions" is set to [TLSv12].  If an end user turns off TLS 1.0 and TLS 1.1 in their browser settings, leaving TLS 1.2 turned on, the program SHOULD work just fine, but it doesn't.

Using Internet Explorer as an example, this is what the end user sees:

---
This page can’t be displayed

Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to (web address) again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
---

Obviously *something* is still trying to use TLS 1.0 or 1.1 - any ideas as to what the problem could be?  This affects all of our customer sites, and we need everything to be TLS 1.2 for e-commerce security compliance.

Many thanks for any help you can provide.
Reply
#2
Are you using an up-to-date version of OpenSSL 1.0.2 that supports TLS 1.2? IntraWeb uses Indy internally, and Indy will silently fallback to TLS 1.0 if it can't access the TLS 1.2 functions from the OpenSSL library.

Reply
#3
(06-04-2018, 04:31 PM)rlebeau Wrote: Are you using an up-to-date version of OpenSSL 1.0.2 that supports TLS 1.2?  IntraWeb uses Indy internally, and Indy will silently fallback to TLS 1.0 if it can't access the TLS 1.2 functions from the OpenSSL library.

It turns out that we were using OpenSSL 1.0.1e.  We have downloaded the new version (1.0.2o) via the link on the AtoZed downloads page, stopped IIS, copied over the new files, and restarted IIS, but the issue persists - we've tried this on multiple servers.  Is there something else we're missing?

Thanks again!
Reply
#4
I think you have an SA application? or is it ISAPI/IIS? IIS doesn't use OpenSSL at all.
The best thing you can do is submitting your application to ssllabs and see how it goes. The final report is pretty good to identify issues.

If your application is public, it is very simple:
https://www.ssllabs.com/ssltest/
Reply
#5
(06-06-2018, 06:05 AM)Alexandre Machado Wrote: I think you have an SA application? or is it ISAPI/IIS? IIS doesn't use OpenSSL at all.
The best thing you can do is submitting your application to ssllabs and see how it goes. The final report is pretty good to identify issues.

If your application is public, it is very simple:
https://www.ssllabs.com/ssltest/

Aha!  I ran the test, and our customers' web servers are failing miserably.  We've begun working with them to fix their security issues; hopefully this will ultimately resolve the issue - if not, I'll post again with updated information, but I'm optimistic that this will solve the problem.  Thank you so much for your help and for pointing out this great resource! Big Grin
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)