Dont we just love how our vendors inundate us with constant emails all of the time? I know that I LOVE that! Sometimes that comes back to bite us. One of those times is now as VMware Workspace ONE decided to finally kill off TLS 1.0/1.1 (which is a good thing!). I wonder if you happened to pay attention to this email?
Why Cant We Be Friends TLS 1.0 and 1.1?
People often wonder why we SSL, TLS, and friends cannot be used. I know its funny that Microsoft until recently still required TLS 1.0 for some services like Outlook. There are a number of reasons that TLS pre 1.2 is bad:
- TLS 1.0 and 1.1 require older insecure cipher suites.
- They are highly susceptible to downgrade attacks and depend on running SHA-1 hashes.
- The SSL handshake relies on a SHA-1 hash or a not stronger concatenation of MD-5 and SHA-1 hashes, which enable the ability to impersonate servers.
- TLS 1.0 and 1.1 do not allow their peers to use stronger has, which severely weakens things.
So, obviously using TLS 1.0 and 1.1 is a major issue. VMware has smartly decided to kill things off, which aligns with industry best standards albeit a bit lead. Now that we understand the issue, Lets discuss the impact of this lovely little issue. Before we move on, lets discuss the weak ciphers part of this.
In general, there are tons of ciphers that exist in the wild. These are the bad ones:
So those are all bad in general for the most part as we try to stick mainly with ECDHE ciphers. In the Workspace ONE space, I typically run these 3 ciphers on everything right now:
Basically, as long as you avoid weak ciphers like the list I mentioned above you are normally in good shape. Like with anything, we must make sure we do a really good job smoke testing after any changes because you never know what will be looking for some sort of weak ciphers (Im talking to you ENS service on the UAG).
Show Me On the Doll Where TLS 1.0 Touched You
So, what happens when this all goes to hell? Lets see!
That connection/request timed out situation is not good for anyone. Essentially, what happens is during the SSL handshake, which you can see below is the Cloud Connector tries to go say Hello! to the VMware Workspace ONE cloud with its magical TLS 1.0/1.1 and ciphers, but the server refuses to respond because it cant work with what your server is dealing with:
This mismatch causes the handshake between your server and VMwares servers to fail, thus making things go kaboom!
How to Fix Workspace ONE Issues with TLS 1.0/1.1
Check out my demo below to see how to remediate these issues:
As found in the Mobile Jon Github Repo, my code will help you address the issue by tightening up your SSL security posture after a reboot and will likely resolve your Cloud Connector shenanigans found here. No need to put 110 lines of code in the middle of the article, but you will get the idea.
If the code doesnt get you there, but you find other contributing factors, I would love to know. Its always interesting to learn how things adapt and how little things we dont think of create problems.
This weeks article isnt particularly long, but I think its helpful. VMwares article #1 was a bit too vague and points at random Microsoft articles, which doesnt help companies solve problems. The mystery of SSL is MAGIC and some of us are just getting to Hogwarts.