Watson Developer Cloud: Disabling 3DES Cipher Suites

Watson Developer Cloud: Disabling 3DES Cipher Suites

Share this post:

The support for 3DES cipher suites in TLS connections made to Watson Developer Cloud services is being disabled on July 24, 2017 to eliminate a vulnerability.

What are 3DES cipher suites and why are they vulnerable?

When making HTTPS connections using the TLS protocol, a cipher suite defines various aspects of how the client and server communicate securely. The cipher suite used for a connection is determined by agreement between the client and server based on the cipher suites supported by each.

A vulnerability, Sweet32, was identified in cipher suites that use the 3DES block cipher algorithm. This vulnerability is exploitable by an attacker who can monitor a long-lived connection between you and a Watson Developer Cloud service and capture around 785GB of traffic.

What Watson Developer Cloud services will this change affect?

Any connection to a Watson Developer Cloud service made through gateway.watsonplatform.net or stream.watsonplatform.net.

Will I be impacted?

In many situations disabling of 3DES cipher suites will be transparent as other cipher suites are supported by Watson Developer Cloud services. However, due to how these services are configured, if your connections are currently using a 3DES cipher suite, they will fail when 3DES cipher suites are disabled.

There are two known situations where you will be impacted:

  • You are using version 3.6.0 or earlier of the OkHttp client library with an IBM Java JRE/SDKWe have identified that using an IBM Java JRE/SDK with older versions of OkHttp results in 3DES cipher suites being used. The issue causing this was addressed in version 3.7.0 of OkHttp. Upgrade to this or a later version and verify that you will not be impacted.
  • You are using version 3.7.0 or earlier of the Watson Developer Cloud SDK with an IBM Java JRE/SDKWe have identified that using an IBM Java JRE/SDK with older versions of the Watson Developer Cloud Java SDK is a common reason 3DES cipher suites are used. The issue causing this was addressed in version 3.8.0 of the Watson Developer Cloud SDK. Upgrade to this or a later version and verify that you will not be impacted. If you are currently using a version earlier than 3.0 there are breaking changes. Review the readme for information on these. Review the changelog to learn about additional minor changes.Note: The issue in the older versions of the Watson Developer Cloud SDK is caused by the bundling of an unfixed version of OkHttp.

How can I verify that I will not be impacted?

Connect to your service using gateway-t.watsonplatform.net instead of gateway.watsonplatform.net (or stream-t.watsonplatform.net instead of stream.watsonplatform.net). If you can successfully connect then you will not be impacted.

Important! Use gateway-t.watsonplatform.net or stream-t.watsonplatform.net for testing purposes only.

Note: To reconfigure the Watson Developer Cloud Java SDK to use gateway-t.watsonplatform.net use the setEndPoint method on your service instance to change the hostname. For example:

LanguageTranslator service = new LanguateTranslator();
service.setEndpoint(“http://bit.ly/2s0g2iy”);

I’ve determined I will be impacted but I’m not using an older version of OkHttp or the Watson Developer Cloud SDK with an IBM Java JRE/SDK. What do I do?

You need to determine if your client supports one of the following cipher suites:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384*
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384*
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384*
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256*
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384*
TLS_RSA_WITH_AES_256_CBC_SHA256*
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256*
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256*
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256*
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256*
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256*
TLS_RSA_WITH_AES_128_CBC_SHA256*
TLS_RSA_WITH_AES_128_CBC_SHA

*TLS 1.2 only

If your client does not support one of these cipher suites reconfigure your client to enable support for at least one cipher suite or move to a new client that does support one of them. If your client is configured to support one of these and you can’t confirm that you will not be impacted you need to diagnose your connection to determine the cause. Refer to any available documentation for your client to assist with this.

Follow up

Any questions or problems, please contact support.

#watson,#awvi,#hybridcloud,#ibm

Bluemix

via Bluemix Blog https://ibm.co/2pQcNaA

June 13, 2017 at 03:15PM

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s