Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
Hi,
I check our new Qlik Sense Server with SSL Labs and got the Grade F.
I order to be secure again the POODLE attack, I need to disable SSL 3. It's also recommanded to enable TLS 1.2, which is disabled and Forward secrecy. How to do that? There are no options regarding that in the QMC, only the SSL Cert Thumbprint.
No unfortunately the current version of Qlik Sense Server (Version 2.2.1.0) seems to only support TLS 1.0 and nor TLS 1.1 or TLS 1.2 and is vulnerable to MITM attacks, because it supports insecure renegotiation (https://blog.qualys.com/ssllabs/2009/11/05/ssl-and-tls-authentication-gap-vulnerability-discovered), which is freaking security nightmare.
Hi Dan,
Thanks for your response and the link.
We were able to get our hands on Qlik Sense Server (2.0.7) which does support TLS 1.2, but unfortunately even after upgrading to this version, we are still seeing that the server supports insecure renegotiation. I'm not sure when Qlik plans to patch the insecure renegotiation vulnerability, but we are hoping that there is a way for us to do this on the OS level.
I'll let you know if I learn additional information after we meet with Qlik this afternoon.
Thanks,
Grace
In Qlik Sense and QlikView when we use TLS/SSL this is build on the Windows OS implementation which is configured and hardened in the OS.
Qlik's product in most cases will only secure components installed by Qlik. This means that an installation of Qlik Sense will not harden the SSL/TLS configuration of the operating system.
There are multiple guidelines that explain how to harden the SSL/TLS Windows configuration which includes the registry setting for insecure negotiations.
Regards
Fredrik
Hi Fredrik,
I did that. I have two Windows Server 2008 R2, one with IIS and one with Qlik Sense Server. In both systems I have disabled the same weak protocols, ciphers, hashes and key exchange algorithms with https://www.nartac.com/Products/IISCrypto/.
I don't get it, why this issue is not taken seriously.
Best regards,
Daniel Göhler
Hi Fredrik/Daniel,
Just want to provide an update. We were able to resolve the server security issue by:
Thanks,
Grace
Was this run on Windows 2012 or Windows 2008?
Reading the mail chain and talking to R&D we now have several tests showing that we can get a A on the test.
So the question is why do we not get the same results on Daniels installations?
Hi Fredrik,
We are running on Windows 2012. We have managed to achieve grace c,
following the disabling of renegotiation. We still need to disable sslv3
and upgrade to sense 2.0.7, once it has been released to make use of
TLSv1.2.
Thanks for the follow up .
Kind Regards,
Darren Mac Kenna,
Product Manager | NetMap Analytics
Hi Fredrik,
we running Windows Server 2012 R2 fully patched with DisableRenegoOnServer = 1 and Qlik Sense 2.1.1.0.
Best regards,
Daniel Göhler
Hi everyone,
good news. We installed all optional updates, not just the security updates, on Windows Server 2012 R2 fully patched with DisableRenegoOnServer = 1 and Qlik Sense 2.1.1.0 we also Grade C.
Best regards,
Daniel Göhler
Hi Daniel,
As Qlik Sense 2.2 is now available on our download site you should be able to test it and verify TLS 1.2 is supported which should give you a grade A (seems like TLS 1.2 is the only missing piece according to your screenshot above).
Best,
Bjorn