I need to listen to Stripe events at a webhook that is deployed on Kubernetes.
The certificate used in the Ingress is using TLS 1.3 but according to Stripe docs, their webhook requests are using TLS 1.2.
Therefore I am getting TLS Errors in the Stripe Webhooks Dashboard.
I am not sure if it is even possible to accept TLS 1.2 requests from a certificate with TLS 1.3 or if I need to add some annotations in the Ingress.
Would greatly appreciate any help.
Related
I have an Azure Storage V2 account setup and I am trying to block TLS 1.0 and 1.1.
I have set the Minimum TLS version to 1.2 but when I test the storage account using SSL Labs or other tools to test the TLS versions that are supported they still report TLS 1.0 and 1.1 being enabled.
Below is a screenshot of the configuration from the Azure portal. I also checked in Powershell and the Minimum TLS version reported is TLS1_2. Have I missed something or could this be because of something else?
During my attempts to reproduce this in a browser for my support ticket I was able to verify that TLS 1.0 and 1.1 ARE being blocked but not at the Session/Presentation layer (I know some debate exists whether TLS is at layer 5/6), they are blocked at the Application layer. The Azure Storage host accepts the TLS 1.0 connection and then checks your account's settings and if the Minimum TLS version is not met it throws an HTTP 400 error stating the TLS version is not permitted.
For my purposes I will try to get this accepted by the auditors as this will continue to fail the TLS-testing sites but for any practical matter TLS 1.0/1.1 is blocked.
This is what Azure returns when you browse to the site with an unsupported TLS version:
And the GET HTTP Response is 400 -
To test this I found that you can force Firefox to a Minimum / Maximum TLS version and then test this in a browser. To configure Firefox to allow TLS 1.0 follow these steps (obviously remember to change this back after testing):
Go to about:config in the Firefox address bar
Set security.tls.version.enable-deprecated to true
Set security.tls.version.max to 1 (or 2 for TLS 1.1)
Set security.tls.version.min to 1
You can then test any site using TLS 1.0.
IBM Cloud will withdraw support to TLS 1.0 and 1.1 after March 1. In the page https://console.bluemix.net/docs/get-support/appsectls.html it says that if you try your url adding ".alt" after de subdomain and it works, then you will not have any problem. But in my case, it doesnt work, so it says that i should enable tls 1.2 but doesnt tell me how. Also, i have seen that in the "EEUU West" region there is no problem with TLS 1.2 support. Otherwise, in the "Germany" region you don't have support at first. Can you tell me how to enable TLS 1.2 in Germany region for any project? Thank you in advance.
The following information was provided by an IBM Cloud platform Architect:
If your application is hosted in Germany under the eu-de.mybluemix.net domain, then TLS 1.0 is already disabled for your application, and if your clients are able to connect to it successfully then you should be ok.
The eu-de.mybluemix.net domain does not offer the alternative alt.eu-de.mybluemix.net to test with because TLS 1.0 has always been disabled for eu-de. We will be removing TLS 1.1 from the eu-de.bluemix.net domain but it is very unlikely that your clients will be using that as that is very rare.
I am trying to diagnose a possible TLS 1.2 vs 1.0 issue. We have an Azure subscription with the following Network Security Group, Application Gateway, and Application Services. We have white listed IPs in the NSG and require TLS 1.2 in the AG. We have an issue from one partner that is hitting our API. Transactions from one of their data centers work and transactions from another are not making it to the API.
We have white-listed both data centers. We have enabled a Network Watcher in Azure with flow logging and can confirm that we are receiving the requests from both datacenters. Logging shows all traffic is to port 443. We suspect that one datacenter is using TLS 1.2 and the other is not.
Is there any way to log which version of TLS is used by a request?
We have a web app hosted in an Azure Server (using api in an Azure Server). For security purposes we'd like to know if the server is under tls 1.2 (I suppose for a non-cloud server we'll just have to see in regedit to know it).
I've seen topics on how to disabled ssl 3 from an azure server see at :
https://azure.microsoft.com/fr-fr/blog/how-to-disable-ssl-3-0-in-azure-websites-roles-and-virtual-machines/
I suppose to enable tls 1.2 we'll have to do this kind of things ...
So my questions are :
- How to know if the azure server is under tls 1.2
- if not, how to set the azure server to tls 1.2
Thanx for your help.
As of today 2018-04-30, you can modify your site to only serve TLS 1.2 and up by going to your app service, then TLS/SSL settings, then setting your minimum TLS Version.
So after the good advice of Panagiotis, we can see this in Chrome/F12 Security, it is said that we're under TLS 1.2, but the cypher is obsolete, the question now would be how to put an up to date cypher, any idea ?
As Panagiotis Kanavos correctly points out:
Azure Websites has disabled SSL 3.0 for all sites by default to protect our customers from the vulnerability mentioned before. Customers no longer need to take any action to disable SSL 3.0 in Azure Websites.
But, here's some specific answers to your questions:
How to know if the azure server is under TLS 1.2?
Check your site with: https://www.ssllabs.com/ssltest/index.html (search for "protocol" and you'll find a list of SSL/TLS versions allowed/disallowed).
If not, how to set the azure server to TLS 1.2?
Start here: How do I disable SSL fallback and use only TLS for outbound connections in .NET? (Poodle mitigation) (requires .NET 4.6).
Then combine with this: https://www.leowkahman.com/2017/07/04/how-to-disable-tls-1-0-on-an-azure-app-service/ (not supported).
Or this: https://learn.microsoft.com/en-au/azure/app-service-web/app-service-app-service-environment-custom-settings (supported).
There are caveats to this setting. Apparently, its not just this setting that controls the transport level outbound communication. We have a situation where we are communicating with a third-party API which is only supporting TLS 1.2 and communication fails with either of this Minimum TLS version 1.0,1.1 and 1.2 on Azure App Service. The hosted app is a .Net Web API on Framework 4.7. So, we had to make this change in Global.asax --> Application_Start so the code tries to communicate with 1.2 and if it fails it tries with 1.1 and then system default.
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls | SecurityProtocolType.SystemDefault;
I can't find details about what version of TLS is implemented by Secure Gateway.
The documentation is very detailed about how to implement TLS, but I can't find the version used.
https://www.ng.bluemix.net/docs/services/SecureGateway/index-gentopic3.html#sg_007
Where is this information available?
For the application side TLS, Secure Gateway will accept connections from applications that are using TLS 1, 1.1, 1.2. It is up to the app to decide which version of TLS to connect with. If you want to limit what version of TLS is accepted, you can use the REST API to manage the secure options of your destination. This setting is not configurable via the UI.