Salesforce Driver to use TLS 1.1/1.2

Hi,

We are currently using the NetIQ Salesforce driver
Parents
  • The driver version is probably irrelevant, and if you are using a Remote
    Loader (RL) as you always should, the engine version (including
    eDirectory) is also irrelevant. Upgrade your RL to the latest 4.5 SP, or
    better yet, 4.6, and see if that starts using TLS 1.2 automatically. If
    you are not using a RL, add one, or else you'll at least need to upgrade
    eDirectory, the IDM engine code, and then see if things work, but you
    should always use a RL whenever possible, even if it's just running the
    shim on the same box as the engine, for various reasons not-related to
    your issue today..


    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
  • On 6/14/2017 7:05 AM, ab wrote:
    > The driver version is probably irrelevant, and if you are using a Remote
    > Loader (RL) as you always should, the engine version (including
    > eDirectory) is also irrelevant. Upgrade your RL to the latest 4.5 SP, or
    > better yet, 4.6, and see if that starts using TLS 1.2 automatically. If
    > you are not using a RL, add one, or else you'll at least need to upgrade
    > eDirectory, the IDM engine code, and then see if things work, but you
    > should always use a RL whenever possible, even if it's just running the
    > shim on the same box as the engine, for various reasons not-related to
    > your issue today..


    I think his point was that SFDC driver is a SOAP shim, that talks to a
    SOAP endpoint at the Salesforce end, which is requiring TLS now. Not
    his remote loader.


  • On 6/14/2017 10:01 AM, Geoffrey Carman wrote:
    > On 6/14/2017 7:05 AM, ab wrote:
    >> The driver version is probably irrelevant, and if you are using a Remote
    >> Loader (RL) as you always should, the engine version (including
    >> eDirectory) is also irrelevant. Upgrade your RL to the latest 4.5 SP, or
    >> better yet, 4.6, and see if that starts using TLS 1.2 automatically. If
    >> you are not using a RL, add one, or else you'll at least need to upgrade
    >> eDirectory, the IDM engine code, and then see if things work, but you
    >> should always use a RL whenever possible, even if it's just running the
    >> shim on the same box as the engine, for various reasons not-related to
    >> your issue today..

    >
    > I think his point was that SFDC driver is a SOAP shim, that talks to a
    > SOAP endpoint at the Salesforce end, which is requiring TLS now. Not
    > his remote loader.


    Which is not to say I have a solution. I wonder if, you ran it in the
    JVM (Make sure you are at the latest RL version) and then added a Java
    param like one of these:

    -Ddeployment.security.SSLv2Hello=false
    -Ddeployment.security.SSLv3=false
    -Ddeployment.security.TLSv1=false
    -Ddeployment.security.TLSv1.1=true
    -Ddeployment.security.TLSv1.2=true

    or maybe:
    -Dhttps.protocols=TLSv1.2
    -Dhttps.cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256

    I am not sure which will work, since I do not fully understand the
    distinctions, but I wonder if these would help.

  • Right, I get that part, but the 4.0 Remote Loader uses a JRE that cannot,
    I believe, do TLS 1.2, so even though clients and servers SHOULD negotiate
    the strongest ciphersuite possible, which would be a TLS 1.2 thing
    probably (unless Salesforce can do 1.3), the only options provided to the
    server by the client (RL JVM) will be TLS 1.0 things. Using a new RL
    should give that client (to Salesforce) new options, from which Salesforce
    can then choose something strong.

    Verifying possibilities in the TLS/SSL Client Hello via a LAN/wire trace
    should be trivial.


    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
Reply
  • Right, I get that part, but the 4.0 Remote Loader uses a JRE that cannot,
    I believe, do TLS 1.2, so even though clients and servers SHOULD negotiate
    the strongest ciphersuite possible, which would be a TLS 1.2 thing
    probably (unless Salesforce can do 1.3), the only options provided to the
    server by the client (RL JVM) will be TLS 1.0 things. Using a new RL
    should give that client (to Salesforce) new options, from which Salesforce
    can then choose something strong.

    Verifying possibilities in the TLS/SSL Client Hello via a LAN/wire trace
    should be trivial.


    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.
Children
  • On 6/14/2017 11:39 AM, ab wrote:
    > Right, I get that part, but the 4.0 Remote Loader uses a JRE that cannot,
    > I believe, do TLS 1.2, so even though clients and servers SHOULD negotiate
    > the strongest ciphersuite possible, which would be a TLS 1.2 thing
    > probably (unless Salesforce can do 1.3), the only options provided to the
    > server by the client (RL JVM) will be TLS 1.0 things. Using a new RL
    > should give that client (to Salesforce) new options, from which Salesforce
    > can then choose something strong.


    Good points. He is at least on IDM 4.0.2.7 which should support TLS
    instead of SSL in terms of Engine to RL communication.

    I never tried, but you should just be able to upgrade the JVM the RL is
    running on, for the most part. I do not recall seeing any dependencies
    on the JVM, do you?

    > Verifying possibilities in the TLS/SSL Client Hello via a LAN/wire trace
    > should be trivial.
    >
    >


  • Hi both,

    Thanks for the pointers on this. We aren't using a RL, but I will see if I can force the engine JVM to use the protocols needed.

    I'll update if I get this working.
  • Hi All,

    Reading this topic I'm wondering if there are any updates on the subject; Salesforce Driver to use TLS 1.1/1.2?
  • WWWilco;2462027 wrote:
    Hi All,

    Reading this topic I'm wondering if there are any updates on the subject; Salesforce Driver to use TLS 1.1/1.2?


    The Salesforce driver doesn't use anything in particular, that's provided by the lower layers of the stack. If you're on a current JRE, wherever the driver is running (engine or RL), then it should be negotiating TLSv1.2. If you're not on a current JRE, you'll need to get there. If that doesn't work, start a new thread and provide the details of what you're running. Expect to need to get a connection trace (tcpdump, etc.) to show what is being negotiated.