Official Support Articles

Sonja_Bauernfeind · ‎2015-10-08

There are environments where the cryptographic protocols available to the Windows Operating System need to be restricted for security or compliance reasons. This article will outline where various TLS versions are supported. This article will not have full coverage of the impact of TLS changes to other software installed on the Qlik Sense server. For examples of potential impacts:

Environment:

Qlik Sense Enterprise on Windows , all versions

Resolution:

Current versions of Qlik Sense:

Support for TLS 1.2 in all currently supported versions such as June 2017 through and later.
TLS 1.3/2.0 are not yet fully supported. More information under TLS protocol version support - Protocols in TLS/SSL (Schannel SSP)

Note: Prior to Qlik Sense Enterprise on Windows April 2018 release, certain internal only micro-services will still listen using TLS 1.0 / 1.1.

Reference Defect: QLIK-95026 / License.exe using weaker cipher suits. This is fixed in Qlik Sense September 2019 and higher: see License Service's Ciphers Being Flagged by Security Scan.
Reference Defect: QLIK-85492 / Node.exe still listening to TLS1.0/1.1 or SSL even after disable them in Windows. This is resolved in Qlik Sense April 2018 (12.16.2), under a scan it would appear that TLS 1.0/1.1 is still using port 9090 but not actively using it thus honoring the spirit of the change in function.
Further Reading: Qlik Sense Ports not honouring TLS version prior to April 2018

Qlik Sense older and unsupported versions:

Support for TLS 1.2:
- Qlik Sense 2.0.7
- Qlik Sense 2.2
- Reference Defect: QLIK-41579 / TLS 1.2 is not supported by the proxy

Support for TLS 1.2 only (with TLS 1.0 and TLS 1.1 disabled) for all external facing ports:
- Qlik Sense 3.0.5, 3.1.4, 3.2.0, and higher.

Implementation

To enable strong TLS implementation make sure to have all your servers updated to a version of both the operating system and the Qlik software, which explicitly detail they support the required version of TLS.

There are two application methods:

Using a third-party toolset

In addition, other administrative tools can be used to enable and disable SSL / TLS, such as Supported TLS and SSL Protocols and Ciphers.

If you have a clustered environment with multiple nodes spread across different machines, please make sure to enable the same subset of protocols on all Sense machines, otherwise the services will not be able to successfully communicate.

Manual

The correct protocol and cipher can then be automatically applied using the PowerShell (PS) script attached to this article or as described below.

WARNING: Changes to Windows' registry may damage to your server installation if not done properly. Always make sure to have a backup and restoration plan in place before altering Windows' registry.

TLS1.2Script.gif

The PS script attached to this article disables SSL v2.0 and v3.0, TLS 1.0 and TLS 1.1, and PCT 1.0. It enables only TLS 1.2.

The changes will be implemented in the following Windows registry paths:

HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2

PowerShell code

Remember that if copying this script into a text-file, the encoding may be set to Unicode by default which will throw off PowerShell. Convert to ANSI and you should be good to go. Ideally, if copying the text below, paste it in PowerShell ISE and then run it. The file attached (Enable_TLS_1.2.Script_v1.3.5.ps1) can be downloaded and opened with PowerShell ISE instead.

### BEGINNING OF SCRIPT ###

<# 
.SYNOPSIS
    Configure and harden the TLS/SSL protocols in Windows.
.DESCRIPTION
    Sets the registry keys needed to affect how Windows, and .NET powered applications, should configure their SSL/TLS protocols
.NOTES
    Author: Qlik R&D
.PARAMETER ssl3
    Boolean. Turns support for SSLv3 on or off.
    Default off
.PARAMETER tls1
    Boolean. Turns support for TLSv1 on or off.
    Default on
.PARAMETER tls11
    Boolean. Turns support for TLSv1.1 on or off.
    Default on
.PARAMETER tls12
    Boolean. Turns support for TLSv1.2 on or off.
    Default on
.PARAMETER setCipherSuites
    Boolean. This is used to set whether or not the ciphersuites should be arranged according to best practices.
    Default on
.EXAMPLE
    ./tls_config_2.0.ps1 -ssl3 0 -tls1 0 -tls11 0 -tls12 1
#>
# Version History:
#1.3.5
#    Added a note that Remote Desktop on old machines might need a patch to work with TLS v1.2
#1.3.4
#    Highlighted the information that the script is unsigned and a command needs to be executed first.
#1.3.3
#    Minor tweaks to the help section
# 1.3.2
#    Rewrote the help section. Now the user can query the script for a help-section using "get-help <script-name>"
# 1.3.1
#   Updated the cipher suite list and added a switch for setting the ciphersuites
# 1.2.1
#   Minor fixes to printouts
# 1.2
#   Added a crude way of selecting which protocols to enable and disable dynamically. Code be improved later on, but works well enough to solve the problem at hand.
# 1.1
#   Minor tweaks to the settings.
# 1.0
#    Initial version. Configures all necessary settings in an easy to read manner.
#

###############################################################################

param([boolean]$ssl3 = 0, [boolean]$tls1 = 0, [boolean]$tls11 = 0, [boolean]$tls12 = 1, [boolean]$setCipherSuites = 1)

function setProtocol([string]$Enabled, [int]$DisabledByDefault, [string]$ProtocolVersion)
{
    New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$ProtocolVersion\Server" -Force | Out-Null
    New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$ProtocolVersion\Client" -Force | Out-Null
    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$ProtocolVersion\Server" -name Enabled -value $Enabled -PropertyType 'DWord' -Force | Out-Null
    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$ProtocolVersion\Client" -name Enabled -value $Enabled -PropertyType 'DWord' -Force | Out-Null
    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$ProtocolVersion\Server" -name 'DisabledByDefault' -value $DisabledByDefault -PropertyType 'DWord' -Force | Out-Null
    New-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$ProtocolVersion\Client" -name 'DisabledByDefault' -value $DisabledByDefault -PropertyType 'DWord' -Force | Out-Null
}

Write-Host ' '
Write-Host -ForegroundColor Red 'Important: This script is unsigned. To execute it anyway, you need to run the following command first: "set-executionpolicy unrestricted"'
Write-Host ' '
Write-Host -ForegroundColor Yellow 'Note: If only TLS v1.2 is enabled and the server or client is Windows 7 or Windows 2008, then Remote Desktop might stop working. This is most likely due to a missing patch. Read more here: https://support.microsoft.com/en-us/kb/3080079';
Write-Host 'This script will configure and harden the TLS/SSL protocols in Windows.'
Write-Host 'Run the command "get-help <scriptname>" to get more information about what settings are available.'
Write-Host 'Only run this script if you accept the risk of affecting the OS or other applications in potentially unexpected ways.'
Write-Host ' '
Write-Host -nonewline "Continue? (Y/N) "
$response = read-host
if ( $response -ne "Y" ) { exit }
Write-Host ' '
Write-Host '======================================================================'
Write-Host ' Configuring Security Providers'
Write-Host '======================================================================'
# Reference: https://technet.microsoft.com/en-us/library/dn169026(v=ws.10).aspx
# “SecurityProviders”=”msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll”
Write-Host -ForegroundColor Green 'Enabling "Credential Security Service Provider" and "Schannel Security Support Provider"'
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders' -name SecurityProviders -value "credssp.dll, schannel.dll" -PropertyType 'String' -Force | Out-Null

#Write-Host 'Configuring Schannel Security Support Provider'
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL' -name AllowInsecureRenegoServers -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL' -name AllowInsecureRenegoClients -value 0 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL' -name DisableRenegoOnServer -value 1 -PropertyType 'DWord' -Force | Out-Null

Write-Host ' '
Write-Host '======================================================================'
Write-Host ' Configuring Protocols'
Write-Host '======================================================================'
# The script can certainly can be improved on from a functional point of view, but it is designed for readability and changeability and hence extra verbose and explicit in its approach.

# Lets just disable this one
Write-Host -ForegroundColor Red 'Disabling Private Communications Technology (PCT)'
setProtocol 0 1 'PCT 1.0'

# Lets just disable this one
Write-Host -ForegroundColor Red 'Disabling SSL v2.0'
setProtocol 0 1 'SSL 2.0'

if($ssl3) {
    Write-Host -ForegroundColor Green 'Enabling SSL v3.0'
    setProtocol -1 0 'SSL 3.0'
} Else {
    Write-Host -ForegroundColor Red 'Disabling SSL v3.0'
    setProtocol 0 1 'SSL 3.0'
}

if($tls1) {
    Write-Host -ForegroundColor Green 'Enabling TLS v1.0'
    setProtocol -1 0 'TLS 1.0'
} Else {
    Write-Host -ForegroundColor Red 'Disabling TLS v1.0'
    setProtocol 0 1 'TLS 1.0'
}

if($tls11) {
    Write-Host -ForegroundColor Green 'Enabling TLS v1.1'
    setProtocol -1 0 'TLS 1.1'
} Else {
    Write-Host -ForegroundColor Red 'Disabling TLS v1.1'
    setProtocol 0 1 'TLS 1.1'
}

if($tls12) {
    Write-Host -ForegroundColor Green 'Enabling TLS v1.2'
    setProtocol -1 0 'TLS 1.2'
} Else {
    Write-Host -ForegroundColor Red 'Disabling TLS v1.2'
    setProtocol 0 1 'TLS 1.2'
}

Write-Host ' '
Write-Host '======================================================================'
Write-Host ' Configuring Key Exchange Algorithms'
Write-Host '======================================================================'
Write-Host -ForegroundColor Green 'Enabling Diffie-Hellman' 
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman' -name Enabled -value -1 -PropertyType 'DWord' -Force | Out-Null

Write-Host -ForegroundColor Green 'Enabling ECDH'
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH' -name Enabled -value -1 -PropertyType 'DWord' -Force | Out-Null

Write-Host -ForegroundColor Green 'Enabling PKCS'
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS' -name Enabled -value -1 -PropertyType 'DWord' -Force | Out-Null

Write-Host ' '
Write-Host '======================================================================'
Write-Host ' Configuring Hashes'
Write-Host '======================================================================'
Write-Host -ForegroundColor Red 'Disabling MD5'
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null

Write-Host -ForegroundColor Green 'Enabling SHA-1'
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA' -name Enabled -value -1 -PropertyType 'DWord' -Force | Out-Null

Write-Host -ForegroundColor Green 'Enabling SHA-256'
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256' -name Enabled -value -1 -PropertyType 'DWord' -Force | Out-Null

Write-Host -ForegroundColor Green 'Enabling SHA-384'
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384' -name Enabled -value -1 -PropertyType 'DWord' -Force | Out-Null

Write-Host -ForegroundColor Green 'Enabling SHA-512'
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512' -name Enabled -value -1 -PropertyType 'DWord' -Force | Out-Null

Write-Host ' '
Write-Host '======================================================================'
Write-Host ' Configuring Ciphers'
Write-Host '======================================================================'
Write-Host -ForegroundColor Red 'Disabling DES'
$writable = $true
$DESkey = (get-item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\).OpenSubKey("Ciphers", $writable).CreateSubKey("DES 56/56")
$DESkey.SetValue("Enabled", 0)

Write-Host -ForegroundColor Red 'Disabling NULL'
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL' -name Enabled -value 0 -PropertyType 'DWord' -Force | Out-Null

Write-Host -ForegroundColor Red 'Disabling RC2'
$RC2128key = (get-item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\).OpenSubKey("Ciphers", $writable).CreateSubKey("RC2 128/128")
$RC2128key.SetValue("Enabled", 0)

$RC240key = (get-item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\).OpenSubKey("Ciphers", $writable).CreateSubKey("RC2 40/128")
$RC240key.SetValue("Enabled", 0)

$RC256key = (get-item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\).OpenSubKey("Ciphers", $writable).CreateSubKey("RC2 56/128")
$RC256key.SetValue("Enabled", 0)

Write-Host -ForegroundColor Red 'Disabling RC4'
$RC4128key = (get-item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\).OpenSubKey("Ciphers", $writable).CreateSubKey("RC4 128/128")
$RC4128key.SetValue("Enabled", 0)

$RC440key = (get-item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\).OpenSubKey("Ciphers", $writable).CreateSubKey("RC4 40/128")
$RC440key.SetValue("Enabled", 0)

$RC456key = (get-item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\).OpenSubKey("Ciphers", $writable).CreateSubKey("RC4 56/128")
$RC456key.SetValue("Enabled", 0)

$RC464key = (get-item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\).OpenSubKey("Ciphers", $writable).CreateSubKey("RC4 64/128")
$RC464key.SetValue("Enabled", 0)

Write-Host -ForegroundColor Green 'Enabling AES 128'
$AES128key = (get-item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\).OpenSubKey("Ciphers", $writable).CreateSubKey("AES 128/128")
$AES128key.SetValue("Enabled", -1)

Write-Host -ForegroundColor Green 'Enabling AES 256'
$AES256key = (get-item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\).OpenSubKey("Ciphers", $writable).CreateSubKey("AES 256/256")
$AES256key.SetValue("Enabled", -1)

# This has dependencies to clients still running Windows XP
Write-Host -ForegroundColor Green 'Enabling 3DES'
$3DESkey = (get-item HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\).OpenSubKey("Ciphers", $writable).CreateSubKey("Triple DES 168/168")
$3DESkey.SetValue("Enabled", -1)

if($setCipherSuites)
{
    Write-Host ' '
    Write-Host '======================================================================'
    Write-Host ' Configuring Ciphersuites'
    Write-Host '======================================================================'
    Write-Host -ForegroundColor Green 'Reordering cipersuites according to strength'
    # Order according to article from June 2016: https://support.microsoft.com/sv-se/kb/3161639
    # The list of ciphersuites will include all variants, but the settings above will actually turn off the ones that are unwanted.
    # This approach will allow for easy modification of allowed ciphersuites without having to go through the list and enable/disable individual ones.

    $cipherSuitesOrder = @(
    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256',
    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384',
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256',
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384',
    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256',
    'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384',
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256',
    'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384',
    'TLS_DHE_RSA_WITH_AES_256_GCM_SHA384',
    'TLS_DHE_RSA_WITH_AES_128_GCM_SHA256',
    'TLS_DHE_RSA_WITH_AES_256_CBC_SHA',
    'TLS_DHE_RSA_WITH_AES_128_CBC_SHA',
    'TLS_RSA_WITH_AES_256_GCM_SHA384',
    'TLS_RSA_WITH_AES_128_GCM_SHA256',
    'TLS_RSA_WITH_AES_256_CBC_SHA256',
    'TLS_RSA_WITH_AES_128_CBC_SHA256',
    'TLS_RSA_WITH_AES_256_CBC_SHA',
    'TLS_RSA_WITH_AES_128_CBC_SHA',
    'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384',
    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256',
    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384',
    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384',
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256',
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384',
    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256',
    'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384',
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256',
    'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384',
    'TLS_DHE_DSS_WITH_AES_256_CBC_SHA256',
    'TLS_DHE_DSS_WITH_AES_128_CBC_SHA256',
    'TLS_DHE_DSS_WITH_AES_256_CBC_SHA',
    'TLS_DHE_DSS_WITH_AES_128_CBC_SHA',
    'TLS_RSA_WITH_3DES_EDE_CBC_SHA',
    'TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA',
    'TLS_RSA_WITH_RC4_128_SHA',
    'TLS_RSA_WITH_RC4_128_MD5',
    'TLS_RSA_WITH_NULL_SHA256',
    'TLS_RSA_WITH_NULL_SHA',
    'SSL_CK_RC4_128_WITH_MD5',
    'SSL_CK_DES_192_EDE3_CBC_WITH_MD5'
    )
    $cipherSuitesAsString = [string]::join(',', $cipherSuitesOrder)
    New-ItemProperty -path 'HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002' -name 'Functions' -value $cipherSuitesAsString -PropertyType 'String' -Force | Out-Null
}

Write-Host ' '
Write-Host ' '
Write-Host 'TLS/SSL configuration is done. The server may have to be restarted for these settings to apply properly.'

### END OF SCRIPT ###

References

[1] Deprecating Secure Sockets Layer Version 3.0, June 20, _https://tools.ietf.org/html/rfc7568_
[2] SslProtocols Enumeration, https://msdn.microsoft.com/en-us/library/system.security.authentication.sslprotocols(v=vs.100).aspx
[3] TLS/SSL Settings, technet.microsoft.com, https://technet.microsoft.com/en-us/library/dn786418.aspx
[4] QV-3642, Security: Enable TLS v1.1 and v1.2 support in server components, http://jira.qliktech.com/browse/QV-3642
[5] QlikView 11.20 SR 16 Release Notes (obtained through Customer Downloads site)

HendrikJ · ‎2021-01-28

@Sonja_Bauernfeind

Is there an updated version of this that shows how to configure Qlik Sense properly with up to date ciphers?

I already posted this elsewhere:

I know this is old, but unfortunately, this still is an issue.

The license service, chat service, proxy service, and others popped up in a security scan for weak ciphers or known vulnerabilities.

We then configured the ciphers for the license service manually:

-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

Unfortunately, that still leaves us with ciphers with no forward secrecy. If we remove the RSA ciphers, Qlik does not work anymore, probably because the other services can not talk to the license service anymore.

This is also the case for other Qlik services (webchat and others). We already had to remove all CBC ciphers system wide (because of the Goldendoodle vulnerability of the Qlik Proxy), and we now need to disable all RSA ciphers also (see https://support.qlik.com/articles/000115202). That in turn makes Qlik not work anymore.
I would be very happy if someone could please point me in a direction where I can find a collection of ciphers and settings that I can enable so the various Qlik services are using up to date ciphers with forward secrecy and everything still works. I was not able to find anything like that so far.

Sonja_Bauernfeind · ‎2021-01-29

@HendrikJ Let me see what I can dig up for you!

Sonja_Bauernfeind · ‎2021-01-29

Hello again @HendrikJ

I've connected with some of our Subject Matter Experts - and since this would fall back to specific ciphers and services, we'd need to request a support ticket where you can outline exactly which ciphers are causing issues and which services. We can then reproduce this inhouse by disabling the same ciphers - and take our findings to our internal security team for review.

I've also been pinged by one of our engineers in the meantime and looks like a ticket might have already been created.

HendrikJ · ‎2021-01-29

Thanks a lot @Sonja_Bauernfeind ! That's correct, one of my colleagues opened a ticket for this.

I just did some testing with Qlik November 2020 newest patchlevel, and it looks much better than the older version. I may actually be able to use TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 with everything and Qlik still seems to work. That should satisfy our security requirements.