Disabling Weak Cipher suites for TLS 1.2 on a Windows machine running Qlik Sense Enterprise on Windows

Sonja_Bauernfeind · May 29, 2023 5:14:06 AM

Qlik Sense URL(s) tested on SSLlabs (ssllabs.com) return the following weak Cipher suites:

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) WEAK

The steps documented in this article are an example of how cipher suites can be disabled. All steps are to be performed by a Windows Administrator on Windows level and cannot be supported by Qlik Support.

We recommend to consulting with your security or Windows administrator before proceeding as they may have automated practices in place.

The security in Qlik Sense does not depend only on the Qlik Sense software. It also relies on the security of the environment that Qlik Sense operates in. This means that the security of, for example, the operating system and the cryptographic protocols (such as TLS/SSL) has to be set up and configured to provide the security needed for Qlik Sense. See Protecting the platform.

Configuring TLS Cipher Suite Order

You can review and configure the cipher suites order using a Group Policy. See Manage Transport Layer Security (TLS) | Microsoft Learn.

Please refer to fig 1:

Fig 1 Fig 1

This policy determines the cipher suites used by the Secure Socket Layer (SSL). If you enable the policy setting, SSL cipher suites are prioritized in the order specified.

If you disable or do not configure this policy setting, the factory default cipher suite order is used.

SSL2, SSL3, TLS 1.0 and TLS 1.1 cipher suites:

TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_RC4_128_SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521 TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_RC4_128_MD5 SSL_CK_RC4_128_WITH_MD5 SSL_CK_DES_192_EDE3_CBC_WITH_MD5 TLS_RSA_WITH_NULL_SHA TLS_RSA_WITH_NULL_MD5

TLS 1.2 SHA256 and SHA384 cipher suites:

TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_NULL_SHA256 TLS 1.2 ECC GCM cipher suites: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521

How to modify this setting:

Open a blank notepad document.
Copy and paste the list of available suites into it.
Arrange the suites in the correct order; remove any suites you don't want to use.
Place a comma at the end of every suite name except the last. Make sure there are NO embedded spaces.
Remove all the line breaks so that the cipher suite names are on a single, long line.
Copy the cipher-suite line to the clipboard, then paste it into the edit box. The maximum length is 1023 characters.

Related Content:

Configuring preferred cipher suites for Qlik License Service in Qlik Sense Enterprise on Windows

Environment:

Qlik Sense Enterprise on Windows any version

wesleytabaka · ‎2022-02-02

Hello, @Sonja_Bauernfeind

This original article is from August 2017 but this shows updated in May 2021. Do these steps apply to Qlik Sense April 2020 Patch 5? According to QB-3248, Qlik Sense only began using Windows registry and group policy to control TLS and cipher settings as of May 2021. Is this right?

Can I change the cipher suites Qlik Sense Proxy service uses without upgrading Qlik Sense from April 2020? i.e., by making some configuration change or using the latest patch for April 2020?

Thank you!

Sonja_Bauernfeind · ‎2022-02-14

Hello @wesleytabaka

This is still accurate, yes. The intention is that Qlik Sense relies on the Ciphers enabled or disabled on the operating system level across the board.

We recommend using 3rd party tools, such as IIS Crypto, (https://www.nartac.com/Products/IISCrypto) to easily enable or disable them.

Heisterkamp · ‎2023-02-09

We have still findings after using ISSCrypto for port 9200, in qlik help i found "Configuring preferred cipher suites for Qlik License Service in Qlik Sense Enterprise on Windows"

Disabling Weak Cipher suites for TLS 1.2 on a Windows machine running Qlik Sense Enterprise on Windows