Deprecating TLSv1.0 and TLSv1.1

Himanshu Kathpal

As a global initiative to strengthen the security of the Qualys Cloud Platform, we have discontinued support for Transport Layer Security (TLS) 1.0 and TLS 1.1 on the Qualys Cloud Platform for communication on the platform, its agents and integration to the various services on the platform. Google, Microsoft, Cisco, Apple, and Mozilla have already announced that their browsers and services will no longer support TLS 1.0 and 1.1 as of March 2020. Qualys has carefully reviewed and implemented this upgrade to its TLS standards in line with the industry best practices and proposed deprecation by the Internet Engineering Task Force (IETF). 

Please ensure that you are using TLSv1.2 and above to avoid any disruption to your access and integration to the Qualys Cloud Platform.  This change will affect all connections to the Cloud Platform, including UIs, APIs, Scanner Appliances, and Cloud Agents.  

For Cloud Agent Deployments: 

Cloud Agent for Windows uses cryptographic protocol support provided by the Windows operating system. Older Windows operating systems (including Windows XP, Embedded Standard, Server 2003/SP2, Server 2008/SP1/SP2, and potentially others if explicitly configured) do not have TLS 1.2 support on the operating system for Cloud Agent to use. 

Cloud Agent on Windows 7, 8/8.1, 10, Server 2008 R2, 2012, 2016 and Linux, Mac, and AIX operating systems support TLS 1.2 and are not impacted, though network proxies may be stepping-down TLS 1.2+ to 1.0/1.1 inadvertently. 

Customers can use Qualys Gateway Service (QGS) or their own forward proxy servers to “step-up” the version of TLS from 1.0/1.1 to 1.2+ to continue running Cloud Agent Windows on older Microsoft operating systems that only have support for TLS 1.0/ TLS 1.1. Please refer to https://www.qualys.com/docs/qualys-gateway-service-user-guide.pdf for details on QGS. 

For those cases where a proxy server cannot be utilized, customers can use the Qualys network scanner to assess the affected system until the conversions have been implemented. 

For the list of supported TLS versions and ciphers, please refer to SSL Labs at https://www.ssllabs.com/ssltest/ 

Qualys Cloud Agent Shared Platform URLs 

US Platform 1:     https://qagpublic.qg1.apps.qualys.com 
US Platform 2:     https://qagpublic.qg2.apps.qualys.com 
US Platform 3:     https://qagpublic.qg3.apps.qualys.com 
EU Platform 1:    https://qagpublic.qg1.apps.qualys.eu 
EU Platform 2:    https://qagpublic.qg2.apps.qualys.eu 
IN Platform 1:     https://qagpublic.qg1.apps.qualys.in 
CA Platform 1:     https://qagpublic.qg1.apps.qualys.ca 

Qualys is also evaluating the limited extension of support for deprecated ciphers within TLS1.2+ for customers with legacy systems and a separate notification will follow with a minimum 30-day notice if Qualys decides to disable support on any specific ciphers on the grounds of improving our platform security and the security of our customer communication. 

References

Share your Comments

Comments

Your email address will not be published. Required fields are marked *