Does it have a negative impact if SCF 4.3.3 server stops accepting TLS 1.0 and 1.1 ?
Applies to
Snap Creator Framework (SCF) 4.3.3Px
Answer
No, with one caveat (*).
Even if the scAgent is using HANA in the
APP_NAME
configuration, which is the only Plug-in that will create connections back to scServer, when the version of the scAgent is one that requires the IP to setup the SSL certificate, it will work without TLSv1.0 or TLSv1.1, using only TLSv1.2 (or higher).
WARNING To keep up to date with SSL vulnerabilities in java, the Java Virtual Machine (JVM, i.e. the JRE or OpenJDK) needs to be upgraded to a recent release (**). |
Additional Information
*) Make sure to use a modern version of Java 8 (at least revision 202 or higher), for proper TLSv1.2 support, and at least version 4.3.3P3 of Snap Creator Framework on both scServer and scAgent side - 4.3.3P3 adds an AIX fix for using only TLSv1.2, which was already working under Windows and Linux.
**) Current versions of the JRE 1.8.0 already have TLSv1.0 and TLSv1.1 disabled in the settings, and will also remove weak ciphers from TLSv1.2.
Note: Snap Creator Framework, both scServer and scAgent are Java applications and use a java virtual machine (JVM). The JRE (Java Runtime) has its own SSL security settings, hence on Windows, changing the TLS settings in the Windows registry will change neither the scServer (on port 443) nor the scAgent (on Port 9090) behaviors.
Instead, the security allowances and disallowances are set in the JRE's
lib/security/java.security
file, and the following entry will disable TLSv1.0 and TLSv1.1 on older Java 8 runtimes:
jdk.tls.disabledAlgorithms=SSL,SSLv2,SSLv3, TLSv1, TLSv1.1,MD5, SSLv3, DSA, RSA keySize < 2048