Are you using TLS older than 1.2?  It’s ok, maintenance update delays happen to everyone.  We get it.  However, it is time to move on.

Remember way back in June 2018 when we deprecated the use of TLS 1.0? If you don’t, that is okay, you can read all about it in posting ini.  Well, here we are, 2 years later and the next version is about to be sidelined so we want you to be prepared and avoid any interruption in service.  This post is all about getting you prepared to run without the use of TLS1.1 so we can restrict access to TLS1.2 only.  We will walk you through how to check your current version and how to upgrade ke latest.  Just for kicks, we’d really like to hear your feedback and add you to a “wall of awesomeness” featuring all those security-conscious companies who make the change early.

Apakah hal ini memengaruhi saya?

Back in 2018 we asked our customers to upgrade, and TLS 1.2 has been the recommendation for quite some time, so it is very likely that you are TIDAK affected.  However, if you use any method to inject messages (SMTP or REST API) or collect data (metrics or webhooks, etc), then you really should check now to make sure your system can support TLS 1.2.  Make sure you run the following tests on the servers that actually connect to SparkPost.  

Mengapa ini penting

1. SparkPost tidak akan menerima koneksi pada TLS 1.1 setelah September 2020

2. Versi yang lebih lama tidak aman

3. TLS 1.2 telah menjadi protokol yang direkomendasikan selama lebih dari satu dekade

4. Semua anak-anak keren melakukannya

5. IETF mengatakan bahwa ini secara resmi tidak digunakan lagi

Kenapa sekarang?

Actually, the question should be “mengapa Anda masih mendukungnya?”  TLS 1.2 has been the recommended secure standard for more than a decade and we are down ke wire on anyone actually offering any support at all for apa pun yang kurang dari TLS1.2. It is time for dukungan HTTPS yang lemah akan mati once and for all.  If you are still using TLS 1.1 past March 2020 you are going to have a hard time connecting to most services.  SparkPost has provided ample grace to get this updated and now we are sending out final notices to get this upgraded before September when we kill it off for good.

Tapi bagaimana, doakan saja, Anda bisa memperbaikinya?

It is very possible that your IT SysAdmin or WebAdmin has done this already for you as part of their normal maintenance.  If so you should buy them a beer and say thank you.  If not you can follow some of the steps below to get it done in Linux, Windows, and Mac.

Perhatikan bahwa di seluruh dokumen ini kami akan menguji dengan titik akhir SparkPost AS

Jika Anda biasanya menggunakan penerapan Eropa, Anda sebaiknya menggunakan titik akhir UE.

Bagaimana cara memeriksanya (versi Linux)

First, let’s check to see if your friendly neighborhood SysAdmin already took care of this for you. This is actually part of the SSL configuration so it can be managed in your system config.  Assuming you are using Linux, the most descriptive method is using nmap but you bisa juga menggunakan openssl.  You can use nmap with Linux, Windows and Mac, but we will explore other methods for Windows and Macs as well if you don’t want to install new software.

To do this with nmap, test the ciphers against a known HTTPS host.  Since the point is to make sure we are connecting to SparkPost securely, let’s test against that endpoint. Make sure you run the following tests on the servers that actually connect to SparkPost. 

nmap --script ssl-enum-ciphers -p 443 api.sparkpost.com

This was done on my own development server and you can easily see my configuration supports TLS 1.1 and 1.2 but not 1.3.  It is important to note at this point that AWS ALBs, and therefore SparkPost connections, do not yet support TLS1.3, but it is on the AWS roadmap.

Memulai Nmap 6.40 (http://nmap.org) pada 2020-05-06 22:41 UTC Laporan pemindaian Nmap untuk api.sparkpost.com (52.13.246.255) Host habis (latensi 0,00059 detik). Alamat lain untuk api.sparkpost.com (tidak dipindai): 34.211.102.211 52.43.22.201 54.213.185.174 100.20.154.199 52.43.110.79 52.40.215.39 52.40.175.169 Catatan rDNS untuk 52.13.246.255: ec2-52-13-246-255.us-west-2.compute.amazonaws.com LAYANAN NEGARA PORT 443/tcp open https | ssl-enum-ciphers: | TLSv1.1: | ciphers: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong | TLS_RSA_WITH_AES_128_CBC_SHA - strong | TLS_RSA_WITH_AES_256_CBC_SHA - strong | compressors: | NULL | TLSv1.2: | Sandi: | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - kuat | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - kuat | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - kuat | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - kuat | TLS_RSA_WITH_AES_128_CBC_SHA - kuat | TLS_RSA_WITH_AES_128_CBC_SHA256 - kuat | TLS_RSA_WITH_AES_128_GCM_SHA256 - kuat | TLS_RSA_WITH_AES_256_CBC_SHA - kuat | TLS_RSA_WITH_AES_256_CBC_SHA256 - kuat | TLS_RSA_WITH_AES_256_GCM_SHA384 - kuat | NULL |_ kekuatan paling rendah: kuat Nmap selesai: 1 alamat IP (1 host ke atas) dipindai dalam 0,11 detik

At this point, you can actually stop if you want because the point is to make sure you are able to connect to SparkPost using TLS 1.2.  If your connection supports TLS 1.2 that is what we need at this point so we are all good here.  Go buy that SysAdmin a beer and say thank you.

Send us an email dan beri tahu kami you were successful.

Memeriksa dukungan pada Mac Anda

The most common reason you may need to check for support on your Mac is that you use it for local development, so let’s assume that and check for your support. 

Metode yang paling tidak invasif adalah menggunakan curl yang seharusnya ada di setiap Mac. Luncurkan aplikasi Terminal dan gunakan flag protokol untuk menguji secara khusus untuk TLS1.2.

curl https://api.sparkpost.com/ --tlsv1.2 --verbose * Trying 54.213.185.174... * TCP_NODELAY set * Connected to api.sparkpost.com (54.213.185.174) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=*.sparkpost.com * start date: Jan 30 00:00:00 2020 GMT * expire date: Feb 28 12:00:00 2021 GMT * subjectAltName: host "api.sparkpost.com" matched cert's "*.sparkpost.com" * issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 * Using Stream ID: 1 (easy handle 0x7fbd69805200) > GET / HTTP/2 > Host: api.sparkpost.com > User-Agent: curl/7.54.0 > Accept: */* > * Connection state changed (MAX_CONCURRENT_STREAMS updated)! < HTTP/2 200 < date: Thu, 07 May 2020 15:14:30 GMT < content-type: text/plain < content-length: 95 < server: msys-http < * Connection #0 to host api.sparkpost.com left intact Oh hey! You should come work with us and build awesome stuff!

Jika Anda ingin menguji menggunakan koneksi SMTP, Anda juga dapat melakukannya dengan perintah ini:

openssl s_client -crlf -starttls smtp -tls1_2 -connect smtp.sparkpostmail.com:587

Mengembalikan banyak data termasuk:

Sesi SSL: Protokol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384

Memeriksa dukungan di Windows

Similar to the Mac use case, the most common reason you may need to check for support in your Windows is that you use it for local development, so let’s assume that and check for your support. 

Windows 7 and Windows 10 use basically the same process.  If you are using something earlier, please upgrade as prior versions do not support TLS 1.2.

Mulailah dengan mengeklik MULAI di sudut kiri bawah (biasanya).

Ketik "Opsi Internet" dan pilih yang cocok dari daftar yang dihasilkan.

Klik pada tab Advanced dan dari sana gulir ke bawah hingga ke bagian paling bawah. Jika TLS 1.2 dicentang, Anda sudah siap. Jika tidak, silakan centang kotak yang berdekatan dengan Gunakan TLS 1.2 lalu Terapkan.

Wait, what? No 1.2? 

Bummer dude.  Your work is not done yet.

Jika Anda hanya memiliki TLS1.1, maka Anda harus memperbarui pengaturan Cipher Anda.

Assuming you are using Linux and Apache for TLS connection management, you can update the SSL configuration by modifying this line to add “+TLSv1.2 ”:

SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 

(Catatan: Karena kedua fitur ini tidak lagi didukung di mana pun, maka, akan masuk akal jika Anda juga menghapus pengaturan 1.0 dan 1.1 selagi Anda berada di sini).

That config is typically located in /etc/httpd/conf.d/ssl.conf 

Restart Apache and you are good to go. 

layanan httpd restart

If you are using Nginx, you will want to modify this line in a similar way:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

That config is typically located in /etc/nginx/conf.d/ 

Restart Nginx and you are good to go. 

service nginx restart

If you run into any error messages with the restart, you may have an out-dated SSL library.  Make sure you are using at least openssl v1.0.1g.

Jika Anda menggunakan Windows, petunjuk untuk mengatur TLS1.2 ada di bagian "Memeriksa dukungan di Windows" di atas.

All done now? Send us an email dan beri tahu kami you were successful.

Selangkah lebih maju

Why stop at TLS 1.2 when you know – Anda hanya tahu – that we are all going to have to upgrade to TLS 1.3 in the next year or so.  Why not just upgrade to TLSv1.3 while we are at it?

Unfortunately, AWS ALBs do not support TLS1.3 yet, so if you do upgrade your configuration, your connection to SparkPost and any other AWS service that uses the ALB layer will still be limited to TLS1.2. Personally, I still think it is a good idea to get ahead of the curve and upgrade to 1.3 while you are making changes anyway. 

If you want to add TLS 1.3 support you will probably have to update your OpenSSL library first to V1.1.1 or later and then add +TLSv1.3  to the protocol line mentioned above.  Similar instructions dapat ditemukan di sini for Nginx and Cloudflare as well.

Tetap aman di luar sana

Finally, It would be great if you could kirimkan email singkat kepada kami to let us know you have verified you are TLS 1.2 capable.  We really don’t want to cut anyone off and the drop-dead date is September 2020.  If we know you are all in the safe zone, we’ll feel much better about turning off the old support.