4 Replies Latest reply: Jun 19, 2015 7:11 AM by Allard Couwenberg RSS

    SSL certificate: Chrome browser warning about encryption TLS 1.0

    Allard Couwenberg

      I installed a company SSL browser certificate thumbprint, in the Qlik Sense QMC under the tab "Security" tab in the "Proxies" configuration. Most computers and browsers now indicate "The identity of this website has been verified ..." accompanied by a re-assuring green lock icon in front of the https URL.

       

      There is a second notification, which I don't understand. It says:

      "Your connection to x is encrypted with obsolete cryptography. This connection uses TLS 1.0. The connection is encrypted using AES_256_CBC, with SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism."

      20150609 - Browser SSL notification for Qlik - Obsolete Cryptography 2.jpg

      Some systems however don't display this second notification with a green indicator, but as a red cross. Indicating this is an issue with the https prefix marked with red strikethrough...

       

      My IT department advised me to look for settings in the Qlik Proxy to discard TLS 1.0 requests.

      I'm not familiar with SSL and this kind of (network) security, so I'm not sure what I should do. Anyone?

        • Re: SSL certificate: Chrome browser warning about encryption TLS 1.0
          Giuseppe Novello

          Allard,

           

          It doesn't seems to be related to Qlik Sense or the Proxy, It seems to be something related to the type of form you made the certificate and Chrome:
          ssl - IIS TLS Certificate - Chrome says we are using "obsolete cryptography" - Stack Overflow

            • Re: SSL certificate: Chrome browser warning about encryption TLS 1.0
              Allard Couwenberg

              Useful link! And in there is another reference to a rather technical page about TLS:

              TLS / SSL - The Chromium Projects

              "Obsolete Cipher Suites

              You may see: “Your connection to example.com is encrypted with obsolete cryptography.”

              This means that the connection to the current website is using an outdated cipher suite (which Chrome still allows if the server insists on it).
              In order for the message to indicate “modern cryptography”, the connection should use forward secrecy and either AES-GCM or CHACHA20_POLY1305. Other cipher suites are known to have weaknesses. Most servers will wish to negotiate TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256."

               

              Still a bit confused if, and how, I could solve this for all Chrome users using Qlik. Either by:

              1. Setting security less strict (is it safe?). Probably a separate setting for each computer
              2. Changing something in Qlik
              3. Doing something with the existing or a new (type) of certificate
                • Re: SSL certificate: Chrome browser warning about encryption TLS 1.0
                  Giuseppe Novello

                  Allard,

                   

                  I can't help much there, since I not a expert with TLS/SSL expert, but I don't believe there's anything on Qlik Sense side that you can modify. Do you see the same issue with other browsers like IE11 or FF?  But it seems something with Chrome is delicate the form of certificate is made.

                   

                  Gio

                    • Re: SSL certificate: Chrome browser warning about encryption TLS 1.0
                      Allard Couwenberg

                      Indeed. I have had an internal discussion with our IT department, and had contact with Qlik Support. I now understand the situation better, and more importantly: I have enough confidence there is no immediate security risk.

                       

                      Some additional info that might be relevant for others with the same situation/questions:

                      • Once Qlik is made available outside our company domain the F5 (load balancer) will probably be able to provide additional SSL/HTTPS security configurations. Then this issue deserves a closer look and further investigation/action on how to handle/block TLS1.0 requests.
                      • There is no explicit way to configure Sense into blocking certain request types (e.g. TLS1.0).
                      • Browser, OS and .NET framework influence what cryptography systems use. Smart thing to keep them all updated.
                      • No immediate security risk, when TLS 1.0 is used.
                      • I updated the OS and browser version on the machines that used to show a red-lock-indicator, and they now indicate a reassuring green-lock-indicator. The notification about obsolete cryptography is accepted as this moment.