Page 2 of 2 FirstFirst 12
Results 21 to 33 of 33

Thread: TLS v1.0 deadline by pci!

  1. #21
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,464
    @wattie:
    I also disabled TLS 1.0 and 1.1 now for apache. Next to that I changed the cipher Suite because I kept getting a lot of red entries with SSLlabs, while newer Cpanel installations by default do not.
    So now I'm using the same cipher suite as cpanel does, not a single user complaining, enough older browsers (including IE11 for W7) supported and everything is black and green, no red anymore.

    For mail it's way more difficult to disable it already now. Indeed older outlook versions like 2007 need an update to be able to work with SSL, otherwise people have to make registry entries which is not advisable to do for the average users. But I know a lot of users still using older e-mail clients like Outlook versions older then 2007, some with MAC issues and several also using Windows Live Mail. Which is also declared EOL and not supported anymore by MS, but still a lot of users still use it.

    I didn't know about WinHTTP though that this would effect Windows 7.
    Vista is EOL and End of support anyway like XP. But about the secure mail, just to be sure. Isn't it the client what defines that? Like Thunderbird is supporting tls 1.2 for example. When you install Thunderbird on Vista or W7 then TLS 1.2 is supported correct?
    Anyway, for mail I can either stay with the old style plain text stuff like before to meet customers with old stuff, or let TLS 1.0 enabled for the time being. I won't force my customers.

    @JohnyByk: As wattie says, same kind of handling, but then remove the -TLSv1 line from httpd-ssl.conf, copy to the /custombuild/custom/ap2/conf/extra directory.
    Then restart Apache and TLS 1.0 is supported again.
    Greetings, Richard.

  2. #22
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,464
    @Ditto: I just had a look. Windows 7 supports TLS 1.1 and 1.2 by default. Was not enabled by default until juni 2016 when update KB3140245 was released.
    So if people update their windows 7, there is no issue for Windows 7.
    There might be issues for older outlook versions. You can patch Outlook 2007 either via windows update or registry entry's, but older ones have bad luck I guess.
    Greetings, Richard.

  3. #23
    Join Date
    May 2008
    Posts
    741
    Without the update it won't work.

    Thunderbird and non-Microsoft clients are unaffected - they will work regardless of Windows version and its updates.

  4. #24
    Join Date
    Apr 2009
    Posts
    2,154
    Quote Originally Posted by Richard G View Post
    @Ditto: I just had a look. Windows 7 supports TLS 1.1 and 1.2 by default. Was not enabled by default until juni 2016 when update KB3140245 was released.
    So if people update their windows 7, there is no issue for Windows 7.
    There might be issues for older outlook versions. You can patch Outlook 2007 either via windows update or registry entry's, but older ones have bad luck I guess.
    Thank you for the information. As I don't have Outlook 2007 it is hard for me to test. What is unclear for me, is if it is enough for Windows 7 users that have Outlook 2007 to apply all available from Windows updates, or if they need to manually apply edits to the registry? If all they need to do is to apply all the latest updates from Windows update, then they have no excuse and I will not disable TLS 1.0 in Dovecot. However if they manually need to edit the registry or manually download a patch that is not applied when running windows update, then I will need to enable TLS 1.0 in Dovecot.

  5. #25
    Join Date
    Jul 2006
    Posts
    88
    I had a customer today I did a remote session with.

    Windows 7 SP1 - Latest updates Installed
    Office 2016

    Would not work with TLS1.0 disabled. I also applied the registry patch through the "easy fix" and restarted.

    I will spend more time on it next week, it does not appear to be a simple user didn't patch issue.

    Quote Originally Posted by ditto View Post
    Thank you for the information. As I don't have Outlook 2007 it is hard for me to test. What is unclear for me, is if it is enough for Windows 7 users that have Outlook 2007 to apply all available from Windows updates, or if they need to manually apply edits to the registry? If all they need to do is to apply all the latest updates from Windows update, then they have no excuse and I will not disable TLS 1.0 in Dovecot. However if they manually need to edit the registry or manually download a patch that is not applied when running windows update, then I will need to enable TLS 1.0 in Dovecot.

  6. #26
    Join Date
    Jul 2006
    Posts
    88
    Quote Originally Posted by Richard G View Post
    @Ditto: I just had a look. Windows 7 supports TLS 1.1 and 1.2 by default. Was not enabled by default until juni 2016 when update KB3140245 was released.
    So if people update their windows 7, there is no issue for Windows 7.
    There might be issues for older outlook versions. You can patch Outlook 2007 either via windows update or registry entry's, but older ones have bad luck I guess.
    Richard,

    It appears that while the 2016 patch added TLS 1.1 and TLS 1.2 support, the WINHTTP module forces TLS1.0 and when it gets a refusal it doesn't try the other versions. If anyone has a simple fix to the problem, I would turn off TLS 1.0 in a heartbeat on Dovecot.

    Kevin

  7. #27
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,464
    Quote Originally Posted by ditto
    is if it is enough for Windows 7 users that have Outlook 2007 to apply all available from Windows updates,
    As far as I understood from the Microsoft page, that would unfortunately not be enough.
    To apply this update, the DefaultSecureProtocols registry subkey must be added.
    Quote Originally Posted by kevinb
    Would not work with TLS1.0 disabled. I also applied the registry patch through the "easy fix" and restarted.
    Indeed this has to be done and is also written on the KB3140245 page at the Microsoft site.

    This is unfortunate. I hope Microsoft will soon come to their senses because W7 is supported untill 2020, so they should enable this by default without the need for manual registry changes.
    As they can make registry changes via Windows Update anyway.

    @Kevinb: As I read from the KB3140245 page, you can set the default by editting the registry setting. Defaulting to 1.2 would be 0x00000800, or you can add 1.1 and 1.2 by calculator.
    However... this again is manual stuff, not an easy thing, unless you create a .reg file yourself for this.

    IMHO Microsoft should drop 1.0 anyway.
    Last edited by Richard G; 07-13-2018 at 07:18 PM.
    Greetings, Richard.

  8. #28
    Join Date
    Apr 2009
    Posts
    2,154
    Quote Originally Posted by smtalk View Post
    "./build rewrite_confs" is enough for that.
    It seems ./build rewrite_confs only update TLS version for Apache. It was needed to run ./build dovecot_conf to update TLS version in /etc/dovecot/conf/ssl.conf

  9. #29
    Join Date
    Aug 2005
    Posts
    107
    Hi Everyone,

    I ran into this issue myself on Windows 7 using Outlook 2010 and was able to resolve it. However, it does require manually editing the Windows Registry as Windows Update KB3140245 + Microsoft Easy Fix does not appear to create the required Protocol Keys.

    *Use common sense when editing the registry. My situation may be different than yours.

    Links:

    1. Microsoft Page that describes the update (includes access to KB3140245 + Easy Fix patch):
    Windows TLS Upgrade Overview

    2. Microsoft Update Catalog for Direct Downloads of KB3140245 (may already be installed):
    Windows Update KB3140245

    3. TechNet Article that explains the overall process and additional Keys/DWORD values (32bit) that are needed:
    Enable TLS 1.1 and TLS 1.2 on Windows 7

    More than likely KB3140245 will automatically be installed - if not, it should be installed as per Microsoft. The TechNet article provides the registry Keys/DWORD values that are needed (which depends on the versions of TLS you want to enable - follow the article). The "Easy Fix" from Microsoft appears to create the first set of DWORD values, but I had to manually enter the new Protocol Keys as per the TechNet article (they credit Ivan from their comments).

    Here is what I did. However, check that all other values from the TechNet article are in place. I only enabled TLS 1.1 + 1.2:

    Code:
    Per the TechNet article, be sure to create the DisabledByDefault DWORD values and 
    set them to 0 in both locations below. You may need to create the TLS 1.1, TLS 1.2 and Client keys:
    
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
    I have attached a screenshot for how the TLS 1.1 Key appears in my registry. The TLS 1.2 should appear the same.

    Once I made all the changes and rebooted, Outlook immediately connected and can send/receive without issues. This has worked for three clients thus far.

    Good Luck!
    Attached Images Attached Images

  10. #30
    Hi guys,

    To the increasing number of complaints and support issues due to a very common OS and email client, we've reverted back to TLSv1 as the default.

    But as there is a need for PCI complaince (where cannot do both at the same time), I've written this guide on how to change your SSL/TLS/cipher settings in dovecot:
    https://help.directadmin.com/item.php?id=2072

    Sorry for the confusion, hopefully this will strike more of a balance with everyone

    John

  11. #31
    Join Date
    Aug 2005
    Posts
    107
    Excellent option. While the move to TLS > 1.0 makes complete sense, I'm sure there are probably many users still using older versions of Windows + Outlook (I do myself).

    It is a shame because there should be no reason why Microsoft cannot include the basic registry changes (mentioned in my post above) in an update or patch. The "Easy Fix" that they provide is 50% there, and could easily include the additional Protocol Keys that are required to resolve the issue.

    Then again...a fix that completely resolves the problem (for software without monthly fees) would not encourage new sales for software with subscription based licensing.

    $$$

  12. #32
    Join Date
    Jul 2008
    Location
    Maastricht
    Posts
    3,464
    That is exactly why we only disabled the TLS v1.0 by default for Apache which is a good thing, but waited with the change for Dovecot in the (maybe idle) hope dat Microsoft will fix this in a better way as they still support Windows 7 until 2020 which is still 2 years.

    My gues is they again did or slow down this on purpose to push more users to W10.
    Greetings, Richard.

  13. #33
    Join Date
    May 2008
    Posts
    741
    Quote Originally Posted by Vibe View Post
    ... no reason why Microsoft cannot include the basic registry changes
    There is a big reason - they wish the users to upgrade to higher version of Office and Windows.

Page 2 of 2 FirstFirst 12

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •