|Agent Mode||Assess & Protect|
|Main Product Category||All Contrast Agents|
In accordance with industry best practices, the Contrast SaaS instances will soon be dropping support for older, less secure protocols and setting the supported minimum TLS version to version 1.2 with an accompanying limit in the available cipher suites, as detailed in the TLSv1.2_2019 Security Policy documented here.
How will limiting the TLS and Cipher Suites available affect connectivity between Contrast Agents and the Contrast UI?
TLS Support varies by agent language and Operating System/Environment as detailed below:
For both the Legacy and Modern .NET framework agent, there are combinations of installed .NET Framework, platform and target .NET Framework that can lead to a connectivity issue that will be accompanied by an error like this in the agent logs:
ERROR 17248:6 Global Exception communicating with Contrast. Error: Error communicating with Contrast for request URL:'/Contrast/api/ng/servers/'. Exception: System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
The resolution is for the application being instrumented to be updated to use the operating system's crypto settings in regards to TLS communication:
- If the application was built for < .NET 4.6.1 or is running with < .NET 4.6.1 compatibility (and using a > .NET 4.6 runtime) then use AppContext switches.
- If the application was built for .NET 3.5, then the code must be recompiled with
SystemDefaultas detailed in this article from the Microsoft Support site.
Please see the Note below for a possible workaround.
Support for TLSv1.2 is enabled in Java versions 8 and above by default (with the caveats noted below for the IBM JRE when used with WebSphere) so no action is required by the user provided TLSv1.2 is supported by the platform.
For older versions of Java and some special cases, see the following:
|JVM||Notes||Action Required by User|
|Java 6||TLSv1.2 is not supported on this version of Java||A Java upgrade is required in this case to maintain connectivity. Please see the Note below for a possible workaround.|
|Oracle Java 7||TLSv1.2 is not supported in Java 7 versions prior to u95||
An upgrade to at least Oracle Java 7 u95 is required (a paid option). Please see the Note below for a possible workaround.
|OpenJDK 7||TLSv1.2 is supported and enabled by default in versions 1.7.0_141 and later.||
This is an option for users unable to upgrade to Oracle Java 7 u95. A free download is available here.
IBM JRE 7/8 with WebSphere
|TLSv1.2 is supported but a JVM option needs to be set in older Java versions to maintain full compatibility when used with WebSphere 8.5/9||In older IBM Java versions 7 (prior to SR4 FP80 20210122) or 8 (prior to 1.8.0_281 SR6 FP5 20210115) the following WebSphere JVM option needs to be set:
|IBM JRE 7/8 with SuiteB Enabled||SuiteB is enabled by setting the JVM Option
||TLSv1.2 compatibility is not possible with this combination. Please see the Note below for a possible workaround.|
The Node.js agent configuration allows for using the Contrast Service to perform communication with the Contrast Server, or can be configured to communicate directly. In the former case - see Ruby, Python and Go, below - and in the latter, the Node.js agent supports TLSv1.2 with no action required by the user.
Ruby, Python and Go
The Ruby, Python and Go agents all communicate with the Contrast Server via an independent service (the Contrast Service) which is itself implemented in Go. For these agents, no action is required to enable TLSv1.2 support as it is already in place in the Contrast Service
To configure the agents to use a Proxy, see here for Java and here for .NET Framework.