Contrast SaaS Connectivity with TLSv1.2

  • Updated

Overview

In accordance with industry best practices, the Contrast SaaS instances will soon be dropping support for older, less secure protocols and setting the supported minimum TLS version to version 1.2 with an accompanying limit in the available cipher suites, as detailed in the TLSv1.2_2019 Security Policy documented here.

Question

How will limiting the TLS and Cipher Suites available affect connectivity between Contrast Agents and the Contrast UI?

Answer

TLS Support varies by agent language and Operating System/Environment as detailed below:


.NET Framework

If for some reason the above requirements cannot be achieved, please see the Note below for a possible workaround.


.NET Core

The .NET Core Agent requires no action on the part of the user to enable TLSv1.2 support, provided it is supported by the Windows or Linux platform on which the agent is running.


Java

Support for TLSv1.2 is enabled in Java versions 8 and above by default (with the caveats noted below for the IBM JRE when used with WebSphere) so no action is required by the user provided TLSv1.2 is supported by the platform.

For older versions of Java and some special cases, see the following:

JVM Notes Action Required by User
Oracle Java 6 TLSv1.2 is not supported on the publicly available versions of Java A Java upgrade is required in this case to maintain connectivity. Please see the Note below for a possible workaround.
Oracle Java 7 TLSv1.2 may work in Oracle Java 7 versions prior to u95 with the addition of the following JVM options:
-Dhttps.protocols=TLSv1.2
-Dhttps.cipherSuites=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

If the options shown to the left do not result in success, an upgrade to at least Oracle Java 7 u95 is required (note that this is a paid option). Please see the next row or the Note below for possible workarounds.

OpenJDK 7 TLSv1.2 is supported and enabled by default in versions 1.7.0_141 and later.

This is an option for users unable to upgrade to Oracle Java 7 u95.  A free download is available here.

IBM JRE 7/8 with WebSphere

TLSv1.2 is supported but a JVM option needs to be set in older Java versions to maintain full compatibility when used with WebSphere 8.5/9 In older IBM Java versions 7 (prior to SR4 FP80 20210122) or 8 (prior to 1.8.0_281 SR6 FP5 20210115) the following WebSphere JVM option needs to be set: -Dcom.ibm.jsse2.overrideDefaultTLS=true
IBM JRE 7/8 with SuiteB Enabled SuiteB is enabled by setting the JVM Option com.ibm.jsse2.suiteB to 128 or 192 TLSv1.2 compatibility is not possible with this combination. Please see the Note below for a possible workaround.

 


Node.js

The Node.js agent configuration allows for using the Contrast Service to perform communication with the Contrast Server or can be configured to communicate directly.  In the former case - see Ruby, Python and Go, below - and in the latter, the Node.js agent supports TLSv1.2 with no action required by the user.


Ruby, Python and Go

The Ruby, Python and Go agents communicate with the Contrast Server via an independent service (the Contrast Service) implemented in Go.  For these agents, no action is required to enable TLSv1.2 support as it is already in place in the Contrast Service


In cases where it is not possible or practical to upgrade the technology in use to support TLSv1.2, a possible workaround is to introduce a proxy between the agent and the Contrast Server and have the proxy negotiate the final TLSv1.2 connection.  Contrast makes no recommendation of a specific proxy solution (however some examples are detailed here) - support for this option would be the responsibility of the user.
To configure the agents to use a Proxy, see here for Java and here for .NET Framework.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request