Disabling TLS 1.0 and 1.1

sebastian.ahlstedt · 7 August 2020 04:35

Hi Octopus Support,

I’ve disabled server-side TLS-1.0 and 1.1 in the registry and other services such as RDP respects it but somehow I can still connect to the tentacle (v.4.0.1.0) via TLS-1.[0-1]. Is there any way to only allow tls-1.2 (which works fine)?

Thanks in advance,
Sebastian

Kenneth_Bates · 7 August 2020 06:44

Hi Sebastian,

Welcome, and thanks for getting in touch! This is a great question, and one I can’t honestly say I know the answer to. However here are my thoughts (I’ve also raised this with my team to have a look at and see if there might be any factors I’m not considering).

Tentacle, from version 3.1 onwards, will use TLS 1.2 by default. So I’m thinking to only allow 1.2, it might be as straight forward as disabling TLS 1.0 and 1.1 on the Tentacle side as well, like what you’ve already done on the server side. Is that something you’ve already attempted?

Let me know if you have any followup questions in the meantime, and I’ll let you know if I get any more thoughts or conflicting opinions.

Best regards,

Kenny

sebastian.ahlstedt · 7 August 2020 06:49

Hi Kenny,

Thanks for the quick reply! I actually meant TLS 1.0 and 1.1 was disabled on the tentacle side (i.e. not Octopus Server). Everything I read on the subject says that the Tentacle should be using dot net/schannel so I don’t understand how it could work.

paul.calvert · 7 August 2020 07:20

Hi @sebastian.ahlstedt,

This does sound unusual, with those protocols disabled it shouldn’t be able to use them.

I want to set up a test environment to check this out, can I ask how you’re testing the TLS1.0 connectivity on the tentacle?
And have you got a screenshot of the IISCrypto configuration for the tentacle machine?
And lastly, what OS is the tentacle machine running?

Regards,
Paul

sebastian.ahlstedt · 7 August 2020 07:37

Hi Paul,

I used openssl to test:
for port in 3389 10933; do for protocol in tls1 tls1_1 tls1_2; do echo -ne "$protocol\t$port\t - ";echo “Q” | openssl s_client -$protocol -connect 172.26.101.109:$port &>/dev/null && echo OK || echo fail;done;done
tls1 3389 - fail
tls1_1 3389 - fail
tls1_2 3389 - OK
tls1 10933 - OK
tls1_1 10933 - OK
tls1_2 10933 - OK

I’ve observed it on both Server 2012R2 and Server 2016, here’s a screenshot from IISCrypto:

Thanks,
Sebastian

paul.calvert · 7 August 2020 09:49

I’ve just tested this on my local VM and the result does show only TLS1.2 working:

This VM is running Server 2019 though so that may be a factor, I’ll spin up a 2012R2 VM and re-test.

Regards,
Paul

paul.calvert · 7 August 2020 10:56

Ran the same test for a Server 2012R2 machine and I’m getting the same results, fails on tls1 and tls1_1 and success on tls1_2.

Forgive me for asking, but has the machine been restarted since the changes were made to the TLS config?

sebastian.ahlstedt · 10 August 2020 01:38

Hi again,

Thanks for testing @paul.calvert. I could have sworn the servers had been restarted but you’re making me doubt it now. I tried restarting just the tentacle service and that actually resolved it so I think you’re right.

We can consider this resolved, thanks again!

system · 10 September 2020 01:38

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.