TLS versions support

A vendor offers a mobile app for tracking vehicles & this app links back to their server in Azure cloud.
We install this app on our corporate mobile devices.  We have
a) iPhone 5 on IOS 10.x
b) certain iPad models on IOS 9.x
c) Android phones on Android 4.4

Q1:
Vendor told us they can't enforce TLS1.2 on their app as they have other customer (also in transport
related industry) with mobile devices still using Android 4.x, thus they'll to still permit TLS1.0 & 1.1.
Is this enforcement of TLS version something that's done at the server end (in the cloud) or at the
mobile app side?

The vendor currently supports only 1 version of the mobile app, thus they can't customize this app
specifically for us just to enforce certain TLS version as advised by them.
Q2:
What's the highest version of TLS (1.2, 1.1 or 1.0) that  IOS 9.x and Android 4.4 could support?

Q3:
Anyone know if mobile apps can be made to go for TLS 1.2 first, failing which, it'll fall back to
1.1 & if this fails, then 1.0 ?  If it can be done, is this at server or client end?

Q4:
Suppose there's a load balancer (eg: F5 or A10) at the server end, does the cert installed at
the loadbalancer matters where TLS version support is concerned?
sunhuxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Roland LeeSenior Systems EngineerCommented:
sunhuxAuthor Commented:
Thanks Roland;  it's not.
masnrockCommented:
Q1) This really becomes a factor of what the server and client support. They are supposed to negotiate the highest version of TLS they agree upon. So in a way you could say it is fall back scenario. As long as the developer is using at least API 21 for the SDK, the app can support TLS 1.2 (but remember the OS does matter).

Q2) iOS 9 did have TLS 1.2 support provided you followed ATS specs. Android 4.4 I have been seeing mixed things (downside of having everyone customize the heck out of the OS for their own products). However, see my comment about the SDK above. At that version TLS 1.2 support is enabled by default for the app development.

Q3) This is literally how the connections work. At highest possible version they can agree upon.

Q4) The biggest question is whether all of the servers behind the load balancer support 1.2 and up. However, it would make sense for  the balancer itself to at least somewhat matter.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
4 signs you’re cut out for a cybersecurity career

It’s one of the most in-demand fields in technology and in the job market as a whole. It’s crucial to our individual and national security. And it may be your path to a future filled with success and job satisfaction—if these four traits sound like you.

btanExec ConsultantCommented:
A1 - both server and client. But mainly mandated by server but latter can allow lower version if it allowed and support otherwise client will have to meet the version stipulated. Vendor should consider not hard coding as such code is not agile and configurable. Should review the coding standard as it seems not reusable and configurable.

A2: TLS1.2  
The following is a list of operating systems (OS) with the versions that are compliant with TLS 1.2. If your OS is an older version than those listed, you need to update it to be compliant with current security standards.

Windows- Windows 7 and newer. Windows XP and Windows Vista are not compliant. Microsoft is not releasing an update to make them compliant.
Mac- Mac OS X 10.8 Mavericks and newer
Android- Android 4.4 and newer
iOS- iOS 5 or newer
http://rezogtsupport.homeawaysoftware.com/articles/en_US/Article/HASW-Understanding-Transport-Layer-Security-TLS-1-2-Compatibility?&

A3: The server must allow fallback not client instead of Forced TLS version (e.g. disable the older version at server end due to compliance)

A4: Yes the LB (act as client) need to establish the TLS channel with the web server (for example) as it is acting on behalf of the origin server. Thus it should also stipulated strict forcing of TLS version to be consistent to the server security baseline requirements.
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Sounds like your developer requires some remedial education about TLS implementation.

Q1: Is this enforcement of TLS version something that's done at the server end (in the cloud) or at the
mobile app side?

Better to say this.

The server end will support some set of TLS protocols. Clients will connect using whatever protocol level they support. Clients + Servers normally  negotiate most secure TLS protocol version + Cipher to use, based on their own inherent intelligence. How this conversation occurs is highly dependent on intelligence of both Server + Client.

Q2: What's the highest version of TLS (1.2, 1.1 or 1.0) that  IOS 9.x and Android 4.4 could support?

This will vary from day to day, as new OS versions release.

You can use https://www.ssllabs.com/ssltest/analyze.html?d=davidfavor.com&latest this SSL/TLS report as a cheatsheet, as SSL Labs keeps up with this rolling data.

Also the answer is a bit tricky, as the reported data is the best... most secure... connection type...

Android 4.4.2	RSA 4096 (SHA256)  	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp521r1  FS
Safari 9 / iOS 9  R	RSA 4096 (SHA256)  	TLS 1.2 > h2  	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp521r1  FS

Open in new window


Best to check this daily for most current info + also bug fixes which will effect info.

Q3: Anyone know if mobile apps can be made to go for TLS 1.2 first, failing which, it'll fall back to
1.1 & if this fails, then 1.0 ?  If it can be done, is this at server or client end?

Yes. This is handled by default (normally) if a standard OpenSSL library binding is used, because OpenSSL will arbitrate this conversation.

This also applies to the server end, which must also use a standard OpenSSL library binding.

Hint: Sounds to me like this server is using some sort of hand rolled SSL library, so the answer maybe no in your case. Only way to know for sure is to test the server.

Q4: Suppose there's a load balancer (eg: F5 or A10) at the server end, does the cert installed at
the loadbalancer matters where TLS version support is concerned?

Same answer as Q3.

Better to test + know, than guess.
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Note: Post how to access the service you're using - IP, port, API mechanism - likely someone will be able to test it, then answer your questions correctly, rather than guessing + providing generic info.
sunhuxAuthor Commented:
The product/app I'm referring to is from www.novade.com 
that does stowage tracking
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.