Is TLS 1.3 Supported?Solved

Question

Is TLS 1.3 Supported?Solved

Is TLS 1.3 supported for communication between the TurboFloat client and server? We have a customer who reports floating licensing failure when TLS 1.2 is disabled (they're hardening their environment to allow TLS 1.3 only).

The platform is RHEL 9.

Aug 8, 2023, edited Aug 8, 2023

Answer

Wyatt O'Day

The next publicly released versions of TA, TF, TFS will all support and default to TLS 1.3.

On platforms that support TLS 1.3 (modern Windows, and all other platforms) TLS 1.3 will be the only connection method used (any attempt to downgrade or MITM will fail).

On old-Windows (Windows 10 and older), TLS 1.2 will be used

We've been working behind the scenes (or, out in the open really) adding support to the backend HTTPS libraries to add TLS 1.3 support to all the platforms we support (for example, early last year we added TLS 1.3 support for Windows). There will be a blog post about all this work at a later date. We have another PR being worked on and submitted soon.

But, long story short is, we actually work on the back-end libraries so that millions of non-wyDay customers get TLS 1.3 support out of the box.

And the next version is coming soon (ASAP, no hard date).

In the meantime configure your HTTPS frontend (sitting in front of TFS) to use TLS 1.2 and TLS 1.3. That way when we roll out the next version you'll be ready to support it on day 1.

Aug 8, 2023, edited Aug 8, 2023

Jonathan Yoder · Answer 1 · 2023-08-08T16:11:43Z

To add a bit more detail, we were able to reproduce the customer issue. However, a TLS 1.3 connection to TFS does appear to work fine:

$ curl -v --tlsv1.3 --insecure https://localhost:443
*   Trying 127.0.0.1:443...
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=VA; L=Eggleston; O=Posit; CN=localhost
*  start date: Aug  8 13:26:17 2023 GMT
*  expire date: Aug  7 13:26:17 2024 GMT
*  issuer: C=US; ST=VA; L=Eggleston; O=Posit; CN=localhost
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x5562252d0e90)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: localhost
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200 
< server: nginx/1.20.1
< date: Tue, 08 Aug 2023 15:42:00 GMT
< content-type: text/html
< content-length: 839
< 
* Connection #0 to host localhost left intact
<!doctype html><html><head><meta charset = "utf-8"><title>Floating license server (TFS) is running</title><meta name="viewport" content="width=device-width, initial-scale=1"><style type="text/css">body {    background-color: #f0f0f2;    margin: 0;    padding: 0;    font-family: system-ui, sans-serif;}div {    width: 600px;    margin: 5em auto;    padding: 50px;    background-color: #fff;    border-radius: 1em;}a:link, a:visited {    color: #38488f;}.err {    color:red}@media (max-width: 700px) {    body {        background-color: #fff;    }    div {        width: auto;        margin: 0 auto;        border-radius: 0;        padding: 1em;    }}</style></head><body><div><h1>Floating license server (TFS) is running</h1><p>You've successfully configured the floating license server (TFS) and you can access it.</p></div></body></html>

This leads me to think that TFS supports TLS 1.3, but the connection between the TF client and TFS may have issues.

The client is returning TF_E_INET_TLS .

Jonathan Yoder · Answer 2 · 2023-08-08T18:56:45Z

Thanks. We will be watching for the next release.

LimeLM
Overview Pricing & Sign up Why LimeLM? Tour Log in Help
wyBuild
Overview Pricing & Buy Features What's new Help
Support forum
wyDay blog
wyDay Home
Downloads Buy Contact us Careers

Guest name
Youʼre not logged-in, but you can still post as a guest.

Email