Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Allardata
Creator
Creator
‎2015-06-09 09:20 AM

SSL certificate: Chrome browser warning about encryption TLS 1.0

I installed a company SSL browser certificate thumbprint, in the Qlik Sense QMC under the tab "Security" tab in the "Proxies" configuration. Most computers and browsers now indicate "The identity of this website has been verified ..." accompanied by a re-assuring green lock icon in front of the https URL.

There is a second notification, which I don't understand. It says:

"Your connection to x is encrypted with obsolete cryptography. This connection uses TLS 1.0. The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism."

20150609 - Browser SSL notification for Qlik - Obsolete Cryptography 2.jpg

Some systems however don't display this second notification with a green indicator, but as a red cross. Indicating this is an issue with the https prefix marked with red strikethrough...

My IT department advised me to look for settings in the Qlik Proxy to discard TLS 1.0 requests.

I'm not familiar with SSL and this kind of (network) security, so I'm not sure what I should do. Anyone?

5,030 Views
0 Likes
1 Solution

Accepted Solutions
Allardata
Creator
Creator
‎2015-06-19 07:11 AM
Author

In response to Giuseppe_Novello

Indeed. I have had an internal discussion with our IT department, and had contact with Qlik Support. I now understand the situation better, and more importantly: I have enough confidence there is no immediate security risk.

Some additional info that might be relevant for others with the same situation/questions:

  • Once Qlik is made available outside our company domain the F5 (load balancer) will probably be able to provide additional SSL/HTTPS security configurations. Then this issue deserves a closer look and further investigation/action on how to handle/block TLS1.0 requests.
  • There is no explicit way to configure Sense into blocking certain request types (e.g. TLS1.0).
  • Browser, OS and .NET framework influence what cryptography systems use. Smart thing to keep them all updated.
  • No immediate security risk, when TLS 1.0 is used.
  • I updated the OS and browser version on the machines that used to show a red-lock-indicator, and they now indicate a reassuring green-lock-indicator. The notification about obsolete cryptography is accepted as this moment.

View solution in original post

1,891 Views
0 Likes
4 Replies
Giuseppe_Novello
Support
Support
‎2015-06-15 09:04 AM

Allard,

It doesn't seems to be related to Qlik Sense or the Proxy, It seems to be something related to the type of form you made the certificate and Chrome:
ssl - IIS TLS Certificate - Chrome says we are using "obsolete cryptography" - Stack Overflow

Giuseppe Novello
Principal Technical Support Engineer @ Qlik
1,891 Views
Allardata
Creator
Creator
‎2015-06-16 07:29 AM
Author

In response to Giuseppe_Novello

Useful link! And in there is another reference to a rather technical page about TLS:

TLS / SSL - The Chromium Projects

"Obsolete Cipher Suites

You may see: “Your connection to example.com is encrypted with obsolete cryptography.”

This means that the connection to the current website is using an outdated cipher suite (which Chrome still allows if the server insists on it).
In order for the message to indicate “modern cryptography”, the connection should use forward secrecy and either AES-GCM or CHACHA20_POLY1305. Other cipher suites are known to have weaknesses. Most servers will wish to negotiate TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256."

Still a bit confused if, and how, I could solve this for all Chrome users using Qlik. Either by:

  1. Setting security less strict (is it safe?). Probably a separate setting for each computer
  2. Changing something in Qlik
  3. Doing something with the existing or a new (type) of certificate
1,891 Views
0 Likes
Giuseppe_Novello
Support
Support
‎2015-06-16 12:16 PM

In response to Allardata

Allard,

I can't help much there, since I not a expert with TLS/SSL expert, but I don't believe there's anything on Qlik Sense side that you can modify. Do you see the same issue with other browsers like IE11 or FF?  But it seems something with Chrome is delicate the form of certificate is made.

Gio

Giuseppe Novello
Principal Technical Support Engineer @ Qlik
1,891 Views
Allardata
Creator
Creator
‎2015-06-19 07:11 AM
Author

In response to Giuseppe_Novello

Indeed. I have had an internal discussion with our IT department, and had contact with Qlik Support. I now understand the situation better, and more importantly: I have enough confidence there is no immediate security risk.

Some additional info that might be relevant for others with the same situation/questions:

  • Once Qlik is made available outside our company domain the F5 (load balancer) will probably be able to provide additional SSL/HTTPS security configurations. Then this issue deserves a closer look and further investigation/action on how to handle/block TLS1.0 requests.
  • There is no explicit way to configure Sense into blocking certain request types (e.g. TLS1.0).
  • Browser, OS and .NET framework influence what cryptography systems use. Smart thing to keep them all updated.
  • No immediate security risk, when TLS 1.0 is used.
  • I updated the OS and browser version on the machines that used to show a red-lock-indicator, and they now indicate a reassuring green-lock-indicator. The notification about obsolete cryptography is accepted as this moment.
1,892 Views
0 Likes