Introduction
Sometimes, we receive questions about the TLS versions used in our applications, especially after penetration tests reveal multiple versions. It's important to note that these versions are not actively in use. They are maintained solely for backward compatibility with upcoming updates for third-party integrations. This strategy allows us to enhance our security measures while ensuring smooth compatibility with essential external systems.
How to check the specific TLS version that is used by the applications
Server - Client communication
With Wireshark, you can capture packets from one application to another application, which enables you to check the traffic between our Server application and Desktop Client applications.
To capture this traffic, please follow these steps below:
- Start Wireshark on Desktop Client, and set the Server IP address as the Host filter
-
Apply a display filter with the following parameters:
tcp.port == 7001 && tls
This display filter displays the TCP communication over port 7001 (the default port of the VMS) and in particular the TLS protocol. - When you check the column Protocol, you'll see TLS is used.
To determine which TLS version can de used, and which one is used, you can check the Packet Details panel.
To find the applicable information, please do the following:
- Select a Client Hello packet
- Find Transport Layer Security in the Packet Details panel
- Expand the options:
- TLSv1.3 Record Later: Handshake Protocol: Client Hello
- Handshake Protocol
- Extension: supported_versions
- Here you'll find all possible versions of the TLS protocol from the Client side, which enables you to connect to older versions of the VMS as well.
To verify, which TLS version actually is used by the system, and what version is used for the connection between the Desktop Client and Server.
- Select a Server Hello packet
- Find Transport Layer Security in the Packet Details panel
- If you expand the content, you will see the TLS version that is used in this case, which is TLS 1.2.
Browser - Server communication
With the browser, you’re also able to check the TLS version that is used when you navigate to the WebAdmin or the Cloud Client portal.
For Firefox
- Open the Developer Tools (Ctrl+Shift+I)
- Select the Network tab
- Navigate to the WebAdmin or Cloud Client portal
- Select the Network tab in the top bar of the Developer Tools
- Select an item in the results and select the Security tab in the pane on the right.
NOTE: If the Security tab isn’t available, select another item, since it isn’t applicable to all items. - Under Security, check the Connection and Protocol version to check which TLS protocol is used.
For Chrome
- Open the Developer Tools (Ctrl+Shift+I)
- Select the Security tab
- Navigate to the WebAdmin or Cloud Client portal
- Under Security, check the results for the section Connection to check which TLS protocol is used.
Change the default TLS version used by the applications
By default, TLS 1.3 is used. However, it is possible to change the TLS versions by changing the value in the server configuration files.
NOTE: Lowering these values has an impact on the overall security of the system and is never recommended.
For Windows
- Open the registry editor and navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\<brand>\<brand> Media Server
- Add a string value allowedSslVersions and put the value TLSv1.2
- Restart the Nx mediaserver defaultMediaServer service
For Linux
- Navigate to:
/opt/<brand>/mediaserver/etc/
- Open the mediaserver.conf and add the following entry: allowedSslVersions=tls1_2
- Restart the <brand>-mediaserver service
Confirm the changes:
To confirm these changes, you can use the following commands:
For Windows
Open the command prompt and enter the following command:
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\<brand>\<brand> Media Server" /v "allowedSslVersions"
For Linux
Open the Terminal and enter the following command:
grep "allowedSslVersions" /opt/<brand>/mediaserver/etc/mediaserver.conf
Change the default TLS version used by the browser
Most browsers use TLS 1.2 or newer as their default value to prohibit you from using previous versions of TLS. Although we do not recommend changing these values, with, for example Firefox, you can change these values for the sake of backward compatibility.
For Firefox
When you navigate to about:config and search for security.tls.version.m, you’ll notice that the default values are 3 for the minimum version and 4 for the maximum version. Which means that TLS 1.2 is used as a minimum and TLS 1.3 as the maximum. To change these values, you can use the following parameters to change minimum and maximum values.
1 = TLS 1.0 (insecure)
2 = TLS 1.1 (insecure)
3 = TLS 1.2
4 = TLS 1.3
For Chrome
Chrome doesn't have such option, but it is possible to force a certain TLS version by starting Chrome through the terminal.
For Windows:
- Open the Command Prompt window
- Enter the following command:
"C:\Program Files\Google\Chrome\Application\chrome.exe" --ssl-version-min=tls1.3
For macOS:
- Open the terminal window
- Enter the following command:
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --ssl-version-min=tls1.3
For Linux:
- Open the terminal window
- Enter the following command:
google-chrome --ssl-version-min=tls1.3
NOTE: If the values of your browser don’t match with values in the mediaserver configuration file, you won’t be able to connect to the system.
Comments
0 comments
Article is closed for comments.