TLS versions support

sunhux
sunhux used Ask the Experts™
on
A vendor offers a mobile app for tracking vehicles & this app links back to their server in Azure cloud.
We install this app on our corporate mobile devices.  We have
a) iPhone 5 on IOS 10.x
b) certain iPad models on IOS 9.x
c) Android phones on Android 4.4

Q1:
Vendor told us they can't enforce TLS1.2 on their app as they have other customer (also in transport
related industry) with mobile devices still using Android 4.x, thus they'll to still permit TLS1.0 & 1.1.
Is this enforcement of TLS version something that's done at the server end (in the cloud) or at the
mobile app side?

The vendor currently supports only 1 version of the mobile app, thus they can't customize this app
specifically for us just to enforce certain TLS version as advised by them.
Q2:
What's the highest version of TLS (1.2, 1.1 or 1.0) that  IOS 9.x and Android 4.4 could support?

Q3:
Anyone know if mobile apps can be made to go for TLS 1.2 first, failing which, it'll fall back to
1.1 & if this fails, then 1.0 ?  If it can be done, is this at server or client end?

Q4:
Suppose there's a load balancer (eg: F5 or A10) at the server end, does the cert installed at
the loadbalancer matters where TLS version support is concerned?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Roland LeeSenior Systems Engineer

Commented:

Author

Commented:
Thanks Roland;  it's not.
Distinguished Expert 2018
Commented:
Q1) This really becomes a factor of what the server and client support. They are supposed to negotiate the highest version of TLS they agree upon. So in a way you could say it is fall back scenario. As long as the developer is using at least API 21 for the SDK, the app can support TLS 1.2 (but remember the OS does matter).

Q2) iOS 9 did have TLS 1.2 support provided you followed ATS specs. Android 4.4 I have been seeing mixed things (downside of having everyone customize the heck out of the OS for their own products). However, see my comment about the SDK above. At that version TLS 1.2 support is enabled by default for the app development.

Q3) This is literally how the connections work. At highest possible version they can agree upon.

Q4) The biggest question is whether all of the servers behind the load balancer support 1.2 and up. However, it would make sense for  the balancer itself to at least somewhat matter.
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

btanExec Consultant
Distinguished Expert 2018
Commented:
A1 - both server and client. But mainly mandated by server but latter can allow lower version if it allowed and support otherwise client will have to meet the version stipulated. Vendor should consider not hard coding as such code is not agile and configurable. Should review the coding standard as it seems not reusable and configurable.

A2: TLS1.2  
The following is a list of operating systems (OS) with the versions that are compliant with TLS 1.2. If your OS is an older version than those listed, you need to update it to be compliant with current security standards.

Windows- Windows 7 and newer. Windows XP and Windows Vista are not compliant. Microsoft is not releasing an update to make them compliant.
Mac- Mac OS X 10.8 Mavericks and newer
Android- Android 4.4 and newer
iOS- iOS 5 or newer
http://rezogtsupport.homeawaysoftware.com/articles/en_US/Article/HASW-Understanding-Transport-Layer-Security-TLS-1-2-Compatibility?&

A3: The server must allow fallback not client instead of Forced TLS version (e.g. disable the older version at server end due to compliance)

A4: Yes the LB (act as client) need to establish the TLS channel with the web server (for example) as it is acting on behalf of the origin server. Thus it should also stipulated strict forcing of TLS version to be consistent to the server security baseline requirements.
David FavorFractional CTO
Distinguished Expert 2018
Commented:
Sounds like your developer requires some remedial education about TLS implementation.

Q1: Is this enforcement of TLS version something that's done at the server end (in the cloud) or at the
mobile app side?

Better to say this.

The server end will support some set of TLS protocols. Clients will connect using whatever protocol level they support. Clients + Servers normally  negotiate most secure TLS protocol version + Cipher to use, based on their own inherent intelligence. How this conversation occurs is highly dependent on intelligence of both Server + Client.

Q2: What's the highest version of TLS (1.2, 1.1 or 1.0) that  IOS 9.x and Android 4.4 could support?

This will vary from day to day, as new OS versions release.

You can use https://www.ssllabs.com/ssltest/analyze.html?d=davidfavor.com&latest this SSL/TLS report as a cheatsheet, as SSL Labs keeps up with this rolling data.

Also the answer is a bit tricky, as the reported data is the best... most secure... connection type...

Android 4.4.2	RSA 4096 (SHA256)  	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp521r1  FS
Safari 9 / iOS 9  R	RSA 4096 (SHA256)  	TLS 1.2 > h2  	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp521r1  FS

Open in new window


Best to check this daily for most current info + also bug fixes which will effect info.

Q3: Anyone know if mobile apps can be made to go for TLS 1.2 first, failing which, it'll fall back to
1.1 & if this fails, then 1.0 ?  If it can be done, is this at server or client end?

Yes. This is handled by default (normally) if a standard OpenSSL library binding is used, because OpenSSL will arbitrate this conversation.

This also applies to the server end, which must also use a standard OpenSSL library binding.

Hint: Sounds to me like this server is using some sort of hand rolled SSL library, so the answer maybe no in your case. Only way to know for sure is to test the server.

Q4: Suppose there's a load balancer (eg: F5 or A10) at the server end, does the cert installed at
the loadbalancer matters where TLS version support is concerned?

Same answer as Q3.

Better to test + know, than guess.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Note: Post how to access the service you're using - IP, port, API mechanism - likely someone will be able to test it, then answer your questions correctly, rather than guessing + providing generic info.

Author

Commented:
The product/app I'm referring to is from www.novade.com 
that does stowage tracking

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial