4 Jul 2018

Upcoming Forge system upgrade to TLS 1.2 - Upgrade Date Moved to Oct 31

 

 

The Autodesk security team strongly believes that continuing to support TLS 1.0 and TLS 1.1 creates a security risk. Therefore, the Autodesk Forge platform will move to TLS 1.2 and stop supporting TLS 1.0 and TLS 1.1 on October 31st 2018, in order to align with industry best practices for security and data integrity.

Action is required prior to this date to prevent any disruption to your production instance.. Your app will no longer be able to call the Forge APIs after October 31st 2018 if it is using TLS 1.0 or TLS 1.1.  Please update your TLS version to 1.2 before October 31st.

 

What is TLS?

TLS stands for “Transport Layer Security.” It is a protocol that provides privacy and data integrity between two communicating applications. It’s the most widely deployed security protocol used today, and is used for web browsers and other applications that require data to be securely exchanged over a network. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification. The versions of TLS, to date, are TLS 1.0, 1.1 and 1.2.

Forge API connections use TLS as a key component of their security. HTTPS (web) and STARTTLS SMTP (email) also use TLS as a key component of their security.

 

Why is this changing?

At Autodesk, Trust is our #1 value and Autodesk is focused on continually helping our customers improve their security by using the latest security protocols. On October 31st, 2018, Autodesk Forge will require TLS 1.2 and later encryption protocol in an effort to maintain the highest security standards and promote the safety of customer data.

 

How will customers be impacted? 

After Autodesk disables TLS 1.0/1.1, any inbound connections from your Forge application that rely on TLS 1.0/1.1 will fail. This will impact all Forge WEB services.

 

What do I need to do?

Checklist: Preparing for the system upgrade to TLS 1.2

  • If your website is hosted, check with your hosting provider if they support TLS 1.2
  • If you host your own website, check if your system already supports TLS 1.2
  • If you or your hosted environment do not support TLS 1.2, arrange/request an upgrade
  • Code your system to always use the highest version of TLS available; avoid hardcoding versions

 

Update Your Production Environment to Support TLS 1.2
You will need to verify and if necessary, update your production environment to ensure it supports TLS 1.2 before October 31st, 2018.

 

Technical Information

The Technical Information section is of a highly technical nature and should be reviewed by one of the following:

  • Your web hosting company
  • Your software provider
  • Your in-house web programmer/system administrator

 

API (inbound) integrations

If a version is not mentioned below is usually mean it is not compatible with TLS 1.2. If your system or environment is not listed, please check out your system/environment documentation for compatibility. We tried to list as many as possible, but we cannot list all of them.

 

Java 8 (1.8) and higher

Compatible with TLS 1.1 or higher by default.

Java 7 (1.7)

Enable TLS 1.1 and TLS 1.2 using the https.protocols Java system property for HttpsURLConnection. To enable TLS 1.1 and TLS 1.2 on non-HttpsURLConnection connections, set the enabled protocols on the created SSLSocket and SSLEngine instances within the application source code. Switching to IBM Java may be an effective workaround if upgrading to a newer Oracle Java version isn't feasible.

Java 8 (IBM)

Compatible with TLS 1.1 or higher by default. You may need to set com.ibm.jsse2.overrideDefaultTLS=true if your application or a library called it by it uses SSLContext.getinstance("TLS").

Java 7 and higher, Java 6.0.1 service refresh 1 (J9 VM2.6) and higher, Java 6 service refresh 10 and higher

Enable TLS 1.2 using the https.protocols Java system property for HttpsURLConnection and the com.ibm.jsse2.overrideDefaultProtocol Java system property for SSLSocket and SSLEngine connections, as recommended by IBM's documentation. You may also need to set com.ibm.jsse2.overrideDefaultTLS=true.

.NET 4.6 and higher

Compatible with TLS 1.1 or higher by default.

.NET 4.5 to 4.5.2

.NET 4.5, 4.5.1, and 4.5.2 do not enable TLS 1.1 and TLS 1.2 by default. Two options exist to enable these, as described below.

Option 1:

.NET applications may directly enable TLS 1.1 and TLS 1.2 in their software code by setting System.Net.ServicePointManager.SecurityProtocol to enable SecurityProtocolType.Tls12 and SecurityProtocolType.Tls11. The following C# code is an example:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

Option 2:

It may be possible to enable TLS 1.2 by default without modifying the source code by setting the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Although the version number in those registry keys is 4.0.30319, the .NET 4.5, 4.5.1, and 4.5.2 frameworks also use these values. Those registry keys, however, will enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. It is thus advisable to test this change before deploying it to your production servers. This is also available as a registry import file. These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value.

.NET 4.0

.NET 4.0 does not enable TLS 1.2 by default. To enable TLS 1.2 by default, it is possible to install .NET Framework 4.5, or a newer version, and set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Those registry keys, however, may enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. We recommend testing this change before deploying it to your production servers. This is also available as a registry import file.

These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value.

Python 2.7.9 and higher

Compatible with TLS 1.1 or higher by default.

Ruby 2.0.0

TLS 1.2 is enabled by default when used with OpenSSL 1.0.1 or higher. Using the :TLSv1_2 (preferred) symbol with an SSLContext's ssl_version helps ensure that TLS 1.0 or earlier is disabled. :TLSv1.2 requires OpenSSL 1.0.1c or later.

PHP

TLSv1.2 requires OpenSSL 1.0.1c or later. OpenSSL extension that PHP_CURL uses to make HTTP connections. The PHP_CURL OpenSSL extension must support TLSv1.2. To find the openssl_version information for cURL, run: php -r 'echo json_encode(curl_version(), JSON_PRETTY_PRINT);'

Node.js

Checkout https://nodejs.org/api/tls.html. TLSv1.2 requires OpenSSL 1.0.1c or later. Node.js uses the system supplied OpenSSL.

Microsoft WinINet

 

Windows Server 2012 R2 and higher

 

Windows 8.1 and higher

Compatible with TLS 1.1 or higher by default.

Microsoft WinINet

 

Windows Server 2008 R2 to 2012

 

Windows 7 and 8

Compatible by default if Internet Explorer 11 is installed. If Internet Explorer 8, 9, or 10 is installed, then TLS 1.2 will need to get enabled by the user or an administrator for compatibility. 

Microsoft Secure Channel (Schannel)

 

Windows Server 2012 R2 and higher

 

Windows 8.1 and higher

Compatible with TLS 1.1 or higher by default.

Microsoft Secure Channel (Schannel)

 

Windows Server 2012

 

Windows 8

TLS 1.1 and TLS 1.2 are disabled by default, but are available if enabled by an application. TLS 1.1 and TLS 1.2 can be enabled by default within the registry.

Microsoft Secure Channel (Schannel)

 

Windows Server 2008 R2

 

Windows 7

Compatible by default in client mode when Internet Explorer 11 is installed. If Internet Explorer 11 is not installed or if Forge needs to connect to a service running on this type of system, then TLS 1.1 and TLS 1.2 can be enabled by default within the registry.

Microsoft WinHTTP and Webio

 

Windows Server 2012 R2 and higher

 

Windows 8.1 and higher

Compatible with TLS 1.1 and TLS 1.2 by default

Microsoft WinHTTP and Webio

 

Windows Server 2008 R2 SP1 and 2012

 

Windows 7 SP1

With KB3140245 applied, Webio is compatible by default, and WinHTTP can be configured via registry settings to enable TLS 1.2.

OpenSSL 1.0.1 and higher

Compatible with TLS 1.1 or higher by default.

Mozilla NSS 3.15.1 and higher

Compatible with TLS 1.1 or higher by default.

iOS 4.21 or higher

Compatible with TLS 1.1 or higher by default.

Android 5.0 (Lollipop) and higher

Compatible with TLS 1.1 or higher by default.

Android 4.4 (KitKat) to 4.4.4

May be compatible with TLS 1.1 or higher. Some devices with Android 4.4.x may not support TLS 1.1 or higher.

Google Chrome 38 and higher

Compatible with TLS 1.1 or higher by default.

Firefox 27 and higher

Compatible with TLS 1.1 or higher by default.

Microsoft Edge

Compatible with TLS 1.1 or higher by default.

Microsoft Internet Explorer Desktop and mobile IE version 11

Compatible with TLS 1.1 or higher by default

If you see the "Stronger security is required" error message, you may need to turn off the TLS 1.0 setting in the Internet Options | Advanced Settings list.

Microsoft Internet Explorer Desktop IE versions 8, 9, and 10

Compatible only when running Windows 7 or newer, but not by default.

Windows Vista, XP and earlier are incompatible and cannot be configured to support TLS 1.1 or TLS 1.2.

Apple Safari Desktop Safari versions 7 and higher for OS X 10.9 (Mavericks) and higher

Compatible with TLS 1.1 or higher by default.

Apple Safari Mobile Safari versions 5 and higher for iOS 5 and higher

Compatible with TLS 1.1 or higher by default.

CREDITS

*This note was largely inspired by this knowledge article.

Related Article