Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
dgoehler
Partner - Contributor III
Partner - Contributor III

SSL Labs: Grade F for Qlik Sense Server

Hi,

I check our new Qlik Sense Server with SSL Labs and got the Grade F.

001.png

I order to be secure again the POODLE attack, I need to disable SSL 3. It's also recommanded to enable TLS 1.2, which is disabled and Forward secrecy. How to do that? There are no options regarding that in the QMC, only the SSL Cert Thumbprint.

002.png

20 Replies
dgoehler
Partner - Contributor III
Partner - Contributor III
Author

No unfortunately the current version of Qlik Sense Server (Version 2.2.1.0) seems to only support TLS 1.0 and nor TLS 1.1 or TLS 1.2 and is vulnerable to MITM attacks, because it supports insecure renegotiation (https://blog.qualys.com/ssllabs/2009/11/05/ssl-and-tls-authentication-gap-vulnerability-discovered), which is freaking security nightmare.

Not applicable

Hi Dan,

Thanks for your response and the link.

We were able to get our hands on Qlik Sense Server (2.0.7) which does support TLS 1.2, but unfortunately even after upgrading to this version, we are still seeing that the server supports insecure renegotiation.  I'm not sure when Qlik plans to patch the insecure renegotiation vulnerability, but we are hoping that there is a way for us to do this on the OS level.

I'll let you know if I learn additional information after we meet with Qlik this afternoon.

Thanks,

Grace

Fredrik_Lautrup
Employee
Employee

In Qlik Sense and QlikView when we use TLS/SSL this is build on the Windows OS implementation which is configured and hardened in the OS.

Qlik's product in most cases will only secure components installed by Qlik. This means that an installation of Qlik Sense will not harden the SSL/TLS configuration of the operating system.

There are multiple guidelines that explain how to harden the SSL/TLS Windows configuration which includes the registry setting for insecure negotiations.

Regards

Fredrik

dgoehler
Partner - Contributor III
Partner - Contributor III
Author

Hi Fredrik,

I did that. I have two Windows Server 2008 R2, one with IIS and one with Qlik Sense Server. In both systems I have disabled the same weak protocols, ciphers, hashes and key exchange algorithms with https://www.nartac.com/Products/IISCrypto/.

  • IIS gets the Great A from SSLLabs.com.
  • Qlik Sense Server gets the Great F, as describes in my post on 01.02.2016 19:25.

I don't get it, why this issue is not taken seriously.

Best regards,

  Daniel Göhler

Not applicable

Hi Fredrik/Daniel,

Just want to provide an update.  We were able to resolve the server security issue by:

  • Upgrading to a version of Qlik Sense that supports TLS1.2 (2.0.7)
  • Disabling insecure negotiation on the OS level by following the instructions that were posted above.
    • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]"DisableRenegoOnServer"=dword:00000001

Thanks,

Grace

Fredrik_Lautrup
Employee
Employee

Was this run on Windows 2012 or Windows 2008?

Reading the mail chain and talking to R&D we now have several tests showing that we can get a A on the test.

So the question is why do we not get the same results on Daniels installations?

Anonymous
Not applicable

Hi Fredrik,

We are running on Windows 2012. We have managed to achieve grace c,

following the disabling of renegotiation. We still need to disable sslv3

and upgrade to sense 2.0.7, once it has been released to make use of

TLSv1.2.

Thanks for the follow up .

Kind Regards,

Darren Mac Kenna,

Product Manager | NetMap Analytics

dgoehler
Partner - Contributor III
Partner - Contributor III
Author

Hi Fredrik,

we running Windows Server 2012 R2 fully patched with DisableRenegoOnServer = 1 and Qlik Sense 2.1.1.0.

Best regards,

  Daniel Göhler

dgoehler
Partner - Contributor III
Partner - Contributor III
Author

Hi everyone,

good news. We installed all optional updates, not just the security updates, on Windows Server 2012 R2 fully patched with DisableRenegoOnServer = 1 and Qlik Sense 2.1.1.0 we also Grade C.

Screenshot.png

Best regards,

  Daniel Göhler

Bjorn_Wedbratt
Former Employee
Former Employee

Hi Daniel,

As Qlik Sense 2.2 is now available on our download site you should be able to test it and verify TLS 1.2 is supported which should give you a grade A (seems like TLS 1.2 is the only missing piece according to your screenshot above).

Best,

Bjorn