Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
I installed a company SSL browser certificate thumbprint, in the Qlik Sense QMC under the tab "Security" tab in the "Proxies" configuration. Most computers and browsers now indicate "The identity of this website has been verified ..." accompanied by a re-assuring green lock icon in front of the https URL.
There is a second notification, which I don't understand. It says:
"Your connection to x is encrypted with obsolete cryptography. This connection uses TLS 1.0. The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism."
Some systems however don't display this second notification with a green indicator, but as a red cross. Indicating this is an issue with the https prefix marked with red strikethrough...
My IT department advised me to look for settings in the Qlik Proxy to discard TLS 1.0 requests.
I'm not familiar with SSL and this kind of (network) security, so I'm not sure what I should do. Anyone?
Indeed. I have had an internal discussion with our IT department, and had contact with Qlik Support. I now understand the situation better, and more importantly: I have enough confidence there is no immediate security risk.
Some additional info that might be relevant for others with the same situation/questions:
Allard,
It doesn't seems to be related to Qlik Sense or the Proxy, It seems to be something related to the type of form you made the certificate and Chrome:
ssl - IIS TLS Certificate - Chrome says we are using "obsolete cryptography" - Stack Overflow
Useful link! And in there is another reference to a rather technical page about TLS:
TLS / SSL - The Chromium Projects
"Obsolete Cipher Suites
You may see: “Your connection to example.com is encrypted with obsolete cryptography.”
This means that the connection to the current website is using an outdated cipher suite (which Chrome still allows if the server insists on it).
In order for the message to indicate “modern cryptography”, the connection should use forward secrecy and either AES-GCM or CHACHA20_POLY1305. Other cipher suites are known to have weaknesses. Most servers will wish to negotiate TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256."
Still a bit confused if, and how, I could solve this for all Chrome users using Qlik. Either by:
Allard,
I can't help much there, since I not a expert with TLS/SSL expert, but I don't believe there's anything on Qlik Sense side that you can modify. Do you see the same issue with other browsers like IE11 or FF? But it seems something with Chrome is delicate the form of certificate is made.
Gio
Indeed. I have had an internal discussion with our IT department, and had contact with Qlik Support. I now understand the situation better, and more importantly: I have enough confidence there is no immediate security risk.
Some additional info that might be relevant for others with the same situation/questions: