Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
May 29, 2023 5:14:06 AM
Aug 23, 2017 11:20:49 AM
Qlik Sense URL(s) tested on SSLlabs (ssllabs.com) return the following weak Cipher suites:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK
The steps documented in this article are an example of how cipher suites can be disabled. All steps are to be performed by a Windows Administrator on Windows level and cannot be supported by Qlik Support.
We recommend to consulting with your security or Windows administrator before proceeding as they may have automated practices in place.
The security in Qlik Sense does not depend only on the Qlik Sense software. It also relies on the security of the environment that Qlik Sense operates in. This means that the security of, for example, the operating system and the cryptographic protocols (such as TLS/SSL) has to be set up and configured to provide the security needed for Qlik Sense. See Protecting the platform.
You can review and configure the cipher suites order using a Group Policy. See Manage Transport Layer Security (TLS) | Microsoft Learn.
Please refer to fig 1:
This policy determines the cipher suites used by the Secure Socket Layer (SSL). If you enable the policy setting, SSL cipher suites are prioritized in the order specified.
If you disable or do not configure this policy setting, the factory default cipher suite order is used.
SSL2, SSL3, TLS 1.0 and TLS 1.1 cipher suites:
TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521 TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 SSL_CK_RC4_128_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5 TLS_RSA_WITH_NULL_SHA TLS_RSA_WITH_NULL_MD5
TLS 1.2 SHA256 and SHA384 cipher suites:
TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_NULL_SHA256 TLS 1.2 ECC GCM cipher suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521
How to modify this setting:
Configuring preferred cipher suites for Qlik License Service in Qlik Sense Enterprise on Windows
Qlik Sense Enterprise on Windows any version
Hello, @Sonja_Bauernfeind
This original article is from August 2017 but this shows updated in May 2021. Do these steps apply to Qlik Sense April 2020 Patch 5? According to QB-3248, Qlik Sense only began using Windows registry and group policy to control TLS and cipher settings as of May 2021. Is this right?
Can I change the cipher suites Qlik Sense Proxy service uses without upgrading Qlik Sense from April 2020? i.e., by making some configuration change or using the latest patch for April 2020?
Thank you!
Hello @wesleytabaka
This is still accurate, yes. The intention is that Qlik Sense relies on the Ciphers enabled or disabled on the operating system level across the board.
We recommend using 3rd party tools, such as IIS Crypto, (https://www.nartac.com/Products/IISCrypto) to easily enable or disable them.
We have still findings after using ISSCrypto for port 9200, in qlik help i found "Configuring preferred cipher suites for Qlik License Service in Qlik Sense Enterprise on Windows"
I am working with a customer's security team on cyber assessment.
Sec team has highlighted below cipher suites are weak and needs to be disabled.
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
We followed this article and removed above cipher suites from the list in group policy. Sec team has performed cyber assessment again to verify and still they can see these ciphers in the assessment.
Do you have any insights on this?