Coveo disabling TLS 1.0

What is TLS?
TLS stands for “Transport Layer Security.” It is a protocol that provides privacy and data integrity between two communicating applications. It’s the most widely deployed security protocol used today, and is used for web browsers and other applications that require data to be securely exchanged over a network. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification. The versions of TLS, to date, are TLS 1.0, 1.1 and 1.2.
Coveo Administration Console and API connections, along with email delivery, use TLS as a key component of their security. HTTPS (web) and STARTTLS SMTP (email) also use TLS as a key component of their security.
 

What is the change?
Coveo is requiring an upgrade to TLS 1.1 or higher by March 28^th 2018. On that date we will disable the TLS 1.0 encryption protocol, which will prevent customers still using it from accessing some of their Coveo services.

How will customers be impacted?
After Coveo disables TLS 1.0, any inbound connections to or outbound connections from your Coveo org that rely on TLS 1.0 will fail. This will impact a number of Coveo services (listed below), including access to Usage Analytics, Search, Indexing and Administration websites.

How can customers avoid a service disruption?
The action required by your organization will depend on which channels are used to access your Coveo org as well as which Coveo services are in use by your org. Please click the relevant topic below to be directed to the required actions pages(s).




 

Why is this happening?
At Coveo, Security is our #1 value and Coveo is focused on continually helping our customers improve their security by using the latest security protocols. On March 28th, 2018, Coveo will require TLS 1.1 and later encryption protocol in an effort to maintain the highest security standards and promote the safety of customer data.

Internet Browsers:

You and your users will experience issues accessing Coveo if you have disabled the supported encryption protocols or if a browser other than the supported browsers is being used to connect to Coveo.

If you experience errors, you need to ensure your browsers are compatible with TLS 1.1 or higher. If your browser is not compatible with TLS 1.1 or higher after we make this change, your users will NOT be able to access Coveo Services. We recommend that you begin planning to support TLS 1.1 and TLS 1.2 as soon as possible.

NOTE: The minimum required action is to enable TLS 1.1 or TLS 1.2 encryption protocol within your browser security settings. Although we recommend disabling TLS 1.0 for a more secure browsing experience, it is not required. For example, if a user has protocols TLS 1.0, TLS 1.1, and TLS 1.2 enabled within their browser's security settings, they will be able to successfully connect to Coveo with that browser after Coveo disables TLS 1.0 on August 21st, 2017.

Refer to the compatibility guidelines below:

Internet Explorer (IE):

• Microsoft Internet Explorer (IE): Review the Enabling TLS 1.1 and TLS 1.2 in Internet Explorer knowledge article for more details.
• Desktop and mobile IE version 11: If you see the "Stronger security is required" error message, you may need to turn off the TLS 1.0 setting in the Internet Options | Advanced Settings list.
• Desktop IE versions 8, 9, and 10: Compatible only when running Windows 7 or newer, but not by default. Review the Enabling TLS 1.1 and TLS 1.2 in Internet Explorer article to enable TLS 1.1 or higher encryption.Windows Vista, XP and earlier are incompatible and cannot be configured to support TLS 1.1 or TLS 1.2.
• Desktop IE versions 7 and below: Not compatible with TLS 1.1 or higher encryption.
• Mobile IE versions 10 and below: Not compatible with TLS 1.1 or higher encryption.
• Microsoft Edge: Compatible with TLS 1.1 or higher by default.

Mozilla Firefox:

• Mozilla Firefox: Compatible with the most recent version, regardless of operating system.
• Firefox 27 and higher: Compatible with TLS 1.1 or higher by default.
• Firefox 23 to 26: Compatible, but not by default. Use about:config to enable TLS 1.1 or TLS 1.2 by updating the security.tls.version.max config value to 2 for TLS 1.1 or 3 for TLS 1.2.
• Firefox 22 and below: Not compatible with TLS 1.1 or higher encryption.

Google Chrome:

• Google Chrome: Compatible with the most recent version, regardless of operating system.
• Google Chrome 38 and higher: Compatible with TLS 1.1 or higher by default.
• Google Chrome 22 to 37: Compatible when running on Windows XP SP3, Vista, or newer (desktop), OS X 10.6 (Snow Leopard) or newer (desktop), or Android 2.3 (Gingerbread) or newer (mobile).
• Google Chrome 21 and below: Not compatible with TLS 1.1 or higher encryption.

Google Android OS Browser:

• Android 5.0 (Lollipop) and higher: Compatible with TLS 1.1 or higher by default.
• Android 4.4 (KitKat) to 4.4.4 : May be compatible with TLS 1.1 or higher. Some devices with Android 4.4.x may not support TLS 1.1 or higher.
• Android 4.3 (Jelly Bean) and below: Not compatible with TLS 1.1 or higher encryption.

Apple Safari:

• Desktop Safari versions 7 and higher for OS X 10.9 (Mavericks) and higher: Compatible with TLS 1.1 or higher by default.
• Desktop Safari versions 6 and below for OS X 10.8 (Mountain Lion) and below: Not compatible with TLS 1.1 or higher encryption.
• Mobile Safari versions 5 and higher for iOS 5 and higher: Compatible with TLS 1.1 or higher by default.
• Mobile Safari for iOS 4 and below: Not compatible with TLS 1.1 or higher encryption.

 

Web Browser User Experience
Depending on the user access point, when a user tries to access the org with a web browser using TLS 1.0 after the org requires TLS 1.1 or higher for HTTPS connections, the user will see an error message with recommended steps to resolve the incompatibility.
 

How to test for support of TLS 1.1 or TLS 1.2
A way to test for TLS 1.1 and TLS 1.2 compatibility is to use the Qualsys SSL Labs test site if your https endpoints are publicly accessible. In the test results, ensure that TLS 1.1 and/or TLS 1.2 support is reported as working properly.

What if I use an intercepting HTTPS proxy server in my network?
Some networks intercept outbound HTTPS traffic by using a proxy server that creates its own certificates so that the unencrypted communications with Coveo and other endpoints can be inspected. Those proxy servers create their own TLS connections to Coveo. Networks that use this type of proxy server need to ensure that it supports TLS 1.2 and prefers TLS 1.2 when connecting to Coveo. Irregular behavior may be observed if the proxy server either does support TLS 1.0 or prefers TLS 1.0 over TLS 1.2 when connecting to remote endpoints.

The general configuration recommendations regarding intercepting HTTPS proxy servers regarding the TLS 1.0 disablement are the following:
Update the intercepting HTTPS proxy server to not intercept the HTTPS connections to Coveo Services. This is preferred as it ensures end-to-end confidentiality between the end-users' web browsers and Coveo.

If HTTPS interception is required by the company's policy or otherwise cannot be removed or exempted, update that proxy server to a newer version that supports TLS 1.2 or, at least, TLS 1.1. When the critical update is enabled, the intercepting HTTPS proxy server will have its requests at the application layer rejected if it negotiated TLS 1.0 with Coveo.

If the intercepting HTTPS proxy server does support TLS 1.2, but prefers TLS 1.0 by using TLS 1.0 in its initial ClientHello messages, update the proxy server's configuration to prefer TLS 1.2 over TLS 1.0 when connecting to Coveo Services.

Connectors and API Integrations:
Connectors used for indexing and API calls, please ensure that the TLS 1.1 and/or TLS 1.2 encryption protocols are enabled in those integrations.

Java (Oracle): Compatible with the most recent version, regardless of operating system:

• Java 8 (1.8) and higher: Compatible with TLS 1.1 or higher by default.
• Java 7 (1.7): Enable TLS 1.1 and TLS 1.2 using the https.protocols Java system property for HttpsURLConnection. To enable TLS 1.1 and TLS 1.2 on non-HttpsURLConnection connections, set the enabled protocols on the created SSLSocket and SSLEngine instances within the application source code. Switching to IBM Java may be an effective workaround if upgrading to a newer Oracle Java version isn't feasible.
• Java 6 (1.6) update 111 and higher: Enable TLS 1.1 using the https.protocols Java system property for HttpsURLConnection. To enable TLS 1.1 on non-HttpsURLConnection connections, set the enabled protocols on the created SSLSocket and SSLEngine instances within the application source code. This Java 6 update and newer updates are not publicly available and require a support contract for Java 6 from Oracle.
• Java 6 (1.6) and below (publicly available version): Not compatible with TLS 1.1 or higher encryption. Switching to IBM Java may be an effective workaround if upgrading to a newer Oracle Java version isn't feasible.

Java (IBM):

• Java 8: Compatible with TLS 1.1 or higher by default. You may need to set com.ibm.jsse2.overrideDefaultTLS=true if your application or a library called it by it uses SSLContext.getinstance("TLS").
• Java 7 and higher, Java 6.0.1 service refresh 1 (J9 VM2.6) and higher, Java 6 service refresh 10 and higher: Enable TLS 1.2 using the https.protocols Java system property for HttpsURLConnection and the com.ibm.jsse2.overrideDefaultProtocol Java system property for SSLSocket and SSLEngine connections, as recommended by IBM's documentation. You may also need to set com.ibm.jsse2.overrideDefaultTLS=true.

.NET: Compatible with the most recent version when running in an operating system that supports TLS 1.1 or TLS 1.2:

• .NET 4.6 and higher: Compatible with TLS 1.1 or higher by default.
• .NET 4.5 to 4.5.2: .NET 4.5, 4.5.1, and 4.5.2 do not enable TLS 1.1 and TLS 1.2 by default. Two options exist to enable these, as described below.
  Option 1:
  .NET applications may directly enable TLS 1.1 and TLS 1.2 in their software code by setting System.Net.ServicePointManager.SecurityProtocol to enable SecurityProtocolType.Tls12 and SecurityProtocolType.Tls11. The following C# code is an example:
  System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
  Option 2:
  It may be possible to enable TLS 1.2 by default without modifying the source code by setting the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Although the version number in those registry keys is 4.0.30319, the .NET 4.5, 4.5.1, and 4.5.2 frameworks also use these values. Those registry keys, however, will enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. It is thus advisable to test this change before deploying it to your production servers. This is also available as a registry import file. These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value.
• .NET 4.0: .NET 4.0 does not enable TLS 1.2 by default. To enable TLS 1.2 by default, it is possible to install .NET Framework 4.5, or a newer version, and set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Those registry keys, however, may enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. We recommend testing this change before deploying it to your production servers. This is also available as a registry import file.
  These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value.
• .NET 3.5 and below: Not compatible with TLS 1.1 or higher encryption

Python: Compatible with the most recent version when running on an operating system that supports TLS 1.1 or TLS 1.2:

• Python 2.7.9 and higher: Compatible with TLS 1.1 or higher by default.
• Python 2.7.8 and below: Not compatible with TLS 1.1 or higher encryption
• Ruby: Compatible with the most recent version when linked to OpenSSL 1.0.1 or higher.
• Ruby 2.0.0: TLS 1.2 is enabled by default when used with OpenSSL 1.0.1 or higher. Using the :TLSv1_2 (preferred) or :TLSv1_1 symbols with an SSLContext's ssl_version helps ensure that TLS 1.0 or earlier is disabled.
• Ruby 1.9.3 and below: The :TLSv1_2 symbol does not exist in 1.9.3 and below, but it is possible to patch Ruby to add that symbol and compile Ruby with OpenSSL 1.0.1 or higher.

Microsoft WinINet: Compatible with the most recent version:

• Windows Server 2012 R2 and higher / Windows 8.1 and higher : Compatible with TLS 1.1 or higher by default.
• Windows Server 2008 R2 to 2012 / Windows 7 and 8 : Compatible by default if Internet Explorer 11 is installed. If Internet Explorer 8, 9, or 10 is installed, then TLS 1.1 and TLS 1.2 will need to get enabled by the user or an administrator for compatibility. Review the Enabling TLS 1.1 and TLS 1.2 in Internet Explorer article to enable TLS 1.1 or higher encryption.
• Windows Server 2008 and below / Windows Vista and below: Not compatible with TLS 1.1 or higher encryption.

Microsoft Secure Channel (Schannel): Compatible with the most recent version:

• Windows Server 2012 R2 and higher / Windows 8.1 and higher : Compatible with TLS 1.1 or higher by default.
• Windows Server 2012 / Windows 8 : TLS 1.1 and TLS 1.2 are disabled by default, but are available if enabled by an application. TLS 1.1 and TLS 1.2 can be enabled by default within the registry. Those registry settings are also available as a registry import file.
• Windows Server 2008 R2 / Windows 7: Compatible by default in client mode when Internet Explorer 11 is installed. If Internet Explorer 11 is not installed or if Coveo needs to connect to a service running on this type of system, then TLS 1.1 and TLS 1.2 can be enabled by default within the registry. Those registry settings are also available as a registry import file.
• Windows Server 2008 and below / Windows Vista and below : Not compatible with TLS 1.1 or higher encryption.

Microsoft WinHTTP and Webio:

• Windows Server 2012 R2 and higher / Windows 8.1 and higher : Compatible with TLS 1.1 and TLS 1.2 by default
• Windows Server 2008 R2 SP1 and 2012 / Windows 7 SP1: With KB3140245 applied, Webio is compatible by default, and WinHTTP can be configured via registry settings to enable TLS 1.1 and TLS 1.2.
• Windows Server 2008 and below / Windows Vista and below: Not compatible with TLS 1.1 or higher encryption

OpenSSL: Compatible with the most recent version, regardless of operating system.

• OpenSSL 1.0.1 and higher : Compatible with TLS 1.1 or higher by default.
• OpenSSL 1.0.0 and below : Not compatible with TLS 1.1 or higher encryption.

Mozilla NSS : Compatible with the most recent version, regardless of operating system.

• 3.15.1 and higher : Compatible with TLS 1.1 or higher by default.
• 3.14 to 3.15 : Compatible with TLS 1.1, but not with TLS 1.2.
• 3.13.6 and below : Not compatible with TLS 1.1 or higher encryption. 

CREDITS
*This note was largely inspired by this knowledge article.
Additional information also available in article 3022.