Overview
In accordance with industry best practices, the Contrast SaaS instances will soon be dropping support for older, less secure protocols and setting the supported minimum TLS version to version 1.2 with an accompanying limit in the available cipher suites, as detailed in the TLSv1.2_2019 Security Policy documented here.
Question
How will limiting the TLS and Cipher Suites available affect connectivity between Contrast Agents and the Contrast UI?
Answer
TLS Support varies by agent language and Operating System/Environment as detailed below:
.NET Framework
- For the Modern agent (runtime .NET framework 4.7.1 and above) - use agent version 21.5.2+
- For the Legacy agent (runtime .NET framework 4.5.1 - 4.7.0) - no agent change is required, but the OS must be updated or configured to support TLS 1.2
If for some reason the above requirements cannot be achieved, please see the Note below for a possible workaround.
.NET Core
The .NET Core Agent requires no action on the part of the user to enable TLSv1.2 support, provided it is supported by the Windows or Linux platform on which the agent is running.
Java
Support for TLSv1.2 is enabled in Java versions 8 and above by default (with the caveats noted below for the IBM JRE when used with WebSphere) so no action is required by the user provided TLSv1.2 is supported by the platform.
For older versions of Java and some special cases, see the following:
JVM | Notes | Action Required by User |
Oracle Java 6 | TLSv1.2 is not supported on the publicly available versions of Java | A Java upgrade is required in this case to maintain connectivity. Please see the Note below for a possible workaround. |
Oracle Java 7 | TLSv1.2 may work in Oracle Java 7 versions prior to u95 with the addition of the following JVM options:
-Dhttps.protocols=TLSv1.2 |
If the options shown to the left do not result in success, an upgrade to at least Oracle Java 7 u95 is required (note that this is a paid option). Please see the next row or the Note below for possible workarounds. |
OpenJDK 7 | TLSv1.2 is supported and enabled by default in versions 1.7.0_141 and later. |
This is an option for users unable to upgrade to Oracle Java 7 u95. A free download is available here. |
IBM JRE 7/8 with WebSphere |
TLSv1.2 is supported but a JVM option needs to be set in older Java versions to maintain full compatibility when used with WebSphere 8.5/9 | In older IBM Java versions 7 (prior to SR4 FP80 20210122) or 8 (prior to 1.8.0_281 SR6 FP5 20210115) the following WebSphere JVM option needs to be set: -Dcom.ibm.jsse2.overrideDefaultTLS=true
|
IBM JRE 7/8 with SuiteB Enabled | SuiteB is enabled by setting the JVM Option com.ibm.jsse2.suiteB to 128 or 192
|
TLSv1.2 compatibility is not possible with this combination. Please see the Note below for a possible workaround. |
Node.js
The Node.js agent configuration allows for using the Contrast Service to perform communication with the Contrast Server or can be configured to communicate directly. In the former case - see Ruby, Python and Go, below - and in the latter, the Node.js agent supports TLSv1.2 with no action required by the user.
Ruby, Python and Go
The Ruby, Python and Go agents communicate with the Contrast Server via an independent service (the Contrast Service) implemented in Go. For these agents, no action is required to enable TLSv1.2 support as it is already in place in the Contrast Service
To configure the agents to use a Proxy, see here for Java and here for .NET Framework.