Monday, February 3, 2020

Force Sitecore 8.2.x to use TLS 1.2







ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

Instead of

ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;



As per the latest update I have got, Microsoft will be forcing TLS 1.2 as the minimum supported version and Connection attempts using old versions will be denied from Feb 6th 2020 for azure Search, and March 31st for Redis. Request you all to update the code ASAP to support TLS 1.2. 

Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis


There's an industry-wide push toward the exclusive use of Transport Layer Security (TLS) version 1.2 or later. TLS versions 1.0 and 1.1 are known to be susceptible to attacks such as BEAST and POODLE, and to have other Common Vulnerabilities and Exposures (CVE) weaknesses. They also don't support the modern encryption methods and cipher suites recommended by Payment Card Industry (PCI) compliance standards. This TLS security blog explains some of these vulnerabilities in more detail.
As a part of this effort, we'll be making the following changes to Azure Cache for Redis:
  • Phase 1: We'll configure the default minimum TLS version to be 1.2 for newly created cache instances. Existing cache instances won't be updated at this point. You'll be allowed to change the minimum TLS version back to 1.0 or 1.1 for backward compatibility, if needed. This change can be done through the Azure portal or other management APIs.
  • Phase 2: We'll stop supporting TLS versions 1.0 and 1.1. After this change, your application will be required to use TLS 1.2 or later to communicate with your cache.
Additionally, as a part of this change, we'll be removing support for older, insecure cypher suites. Our supported cypher suites will be restricted to the following when the cache is configured with a minimum TLS version of 1.2.
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
This article provides general guidance about how to detect dependencies on these earlier TLS versions and remove them from your application.