Company: Link Technologies
Case No: L12909. Project: 14.90: LinkSOFT Version 14.90 - July 2023
Logged By: Sanjay (Link Technologies) on 31 May 2023 03:21PM
Priority: Low
Product: Framework
Group: Enhancement
Time Taken: 11.00 (Weight: 16.00)
Assigned To: Development
Circulation: Development, Sanjay
Resolve By: Wednesday, 31 May 2023 10:29 AM [323 days since logged date]
Status: Closed
Subject: Add support for TLS 1.3 and remove SSL3 support when connecting to mail servers
Summary:    

When connecting to mail servers, we allow all protocols including SSL3 and TLS1.2.

The following changes have been made in 14.90:

  1. Add support for TLS 1.3
  2. Remove SSL3


Audit Notes:Edited by sanjay on 21/06/23 15:26. Edited by sanjay on 02/06/23 17:09. Edited by sanjay on 31/05/23 15:21. Edited by sanjay on 31/05/23 10:31. 
31 May 202310:33AM Comment 1 by Sanjay (Link Technologies) Assigned To: Development Followup Date: 09-06-2023 10:31 AM Time Taken: 8.00
PART A - Development work for this case has been completed.

1. The change will be available in version: 14.90

2. The following changes were made(Include Database object names, Program classes, and any other relevant information):

  1. Add support for TLS 1.3 and remove SSL3 support when connecting to mail servers

3. Affected Areas:

  1. Sending Emails from LinkSOFT

4. The issue was caused by:

  1. Security compliance

5. Other Relevant Notes

  1. SSL 3.0 is an outdated and insecure protocol that has been deprecated and should not be used anymore. It is vulnerable to attacks such as POODLE and BEAST. You should only use TLS 1.2 or higher if possible, as they provide stronger encryption and better performance.

6. Next Step (Review and System Test (Developer) -> UAT (Quality) -> Documentation): UAT


PART B -
Development Reference (Place descriptor for objects changed)
:

Additional Notes:

There are different ways to check if a server supports TLS 1.2 or higher, depending on the tools you have access to. Here are some possible methods:

• Use the openssl command to test the connection with different TLS versions. For example, you can run the following commands and see if they succeed or fail:

openssl s_client -connect host.com:443 -tls1_2
openssl s_client -connect host.com:443 -tls1_3

If the connection is successful, you will see a message like this:

SSL handshake has read 1234 bytes and written 456 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 ok
---

If the connection fails, you will see a message like this:

CONNECTED(00000003)
140735254603648:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1544:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 ok
---

• Use the nmap tool with the ssl-enum-ciphers script to scan the server for supported ciphers and protocols. For example, you can run the following command and look for the output section that shows the TLS versions and ciphers:

nmap --script ssl-enum-ciphers -p 443 host.com

The output will look something like this:

PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ecdh_x25519) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ecdh_x25519) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Forward Secrecy not supported by any cipher in use by this host.
| TLSv1.3:
| ciphers:
| TLS_AES_256_GCM_SHA384 (ecdh_x25519) - A
| TLS_CHACHA20_POLY1305_SHA256 (ecdh_x25519) - A
| TLS_AES_128_GCM_SHA256 (ecdh_x25519) - A
| compressors:
| NULL
| cipher preference: server


• Use a web browser to visit the server's website and inspect the certificate details. Depending on the browser, you may need to click on the padlock icon next to the URL bar, or go to the developer tools and look for the security tab. You should be able to see the protocol and cipher used for the connection, as well as other information about the certificate. For example, in Chrome, you can see something like this:

14 Jun 202312:02PM Comment 2 by Sanjay (Link Technologies) Assigned To: Development Followup Date: 23-06-2023 12:01 PM Time Taken: 3.00
Tests completed on TLS 1.3 using a locally installed Mail server.

If you have any queries regarding this support incident, please email admin@linktechnologies.com.au and include the Case No: L12909 in the subject line of all emails regarding this issue.

Document size: 7.4 KB
For call complaints, please contact the Managing Director of the company using this form