Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
curl -o /dev/null -s -vvv https://my.patientsknowbest.com

Above command will try to fetch content from my.patientsknowbest.com.

Context

A cipher suite is a fixed set of algorithms used together to establish a secure network connection to transmit data between to hosts. Cipher suite names are derived from the algorithms used.

These algorithms are:

  • Key Exchange Algorithms (e.g.: RSA, DH, ECDH, …)

  • Authentication/Digital Signature Algorithm (e.g.: RSA, ECDSA, …)

  • Bulk Encryption Algorithms (e.g.: AES, CHACHA20, …)

  • Message Authentication Code Algorithms (e.g.: SHA-256, POLY1305)

A cipher suite might be supported by by differetn TLS versions.

Tip

Both server and client has a set of supported cipher suites which must overlap.

Expected success output

Code Block
*   Trying 35.246.122.93:443...
...
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
...
* Connection #0 to host my.patientsknowbest.com left intact

...

Panel
panelIconId1f3c1
panelIcon:checkered_flag:
panelIconText🏁
bgColor#DEEBFF

NEXT: See way Explore ways to update your client software and/or its runtime environment.

Expected failure output

Code Block
*   Trying 35.246.122.93:443...
* Connected to my.patientsknowbest.com (35.246.122.93) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ECDHE-RSA-AES256-SHA384
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [181 bytes data]
* TLSv1.2 (IN), TLS header, Unknown (21):
{ [5 bytes data]
* TLSv1.2 (IN), TLS alert, handshake failure (552):
{ [2 bytes data]
* error:0A000410:SSL routines::sslv3 alert handshake failure
* Closing connection 0
Warning

* error:0A000410:SSL routines::sslv3 alert handshake failure indicates lack of ovelap in cipher suites supported by client and server.

Panel
panelIconIdatlassian-light_bulb_on
panelIcon:light_bulb_on:
panelIconText:light_bulb_on:
bgColor#FFFAE6

TIP: Version of your OS running on the given host might not support any of the cipher suites that our servers support.

Panel
panelIconId1f3c1
panelIcon:checkered_flag:
panelIconText🏁
bgColor#DEEBFF

NEXT: Consult documentation of your OS, runtime environment and integration enginge to see what cupher suites it supportsthey support.

Panel
panelIconIdatlassian-light_bulb_on
panelIcon:light_bulb_on:
panelIconText:light_bulb_on:
bgColor#FFFAE6

TIP: client software might be outdated or missing security updates (can be OS and/or integration engine version).

Panel
panelIconId1f3c1
panelIcon:checkered_flag:
panelIconText🏁
bgColor#DEEBFF

NEXT: See way Explore ways to update your client software and/or its runtime environment.

Trouble shooting

Trouble shooting consists of two steps:

  1. You need to learn what cipher suites your software supports (see steps below).

  2. Compare that with cipher suites our servers support

    1. Consult our PKB API Network Connectivity page or

    2. Run a live scan on SSLLabs.

Tip

If the two sets intersect, we should be good.

Warning

If the two sets does not intersect, then we need to figure out next steps together.

Outcomes can be:

  1. You need to modernize client so it has support for secure and performant ciphers or

  2. We need to modernize our server so it supports secure and performant ciphers.

Please consult the table on IANA’s website to see what ciphers are recommended at the moment.

Screenshot 2024-11-15 at 13.26.04.pngImage Added

We only want to support secure ciphers.

What ciphers my OS supports?

Linux

Code Block
openssl ciphers -v

Here is an example of a TLS v1.2 cipher suite from Openssl command 'openssl ciphers -v' output:

Code Block
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
Info

Kx: (Key Exchange) ECDHE

Au: (Authentication) RSA

Enc: (Bulk Encryption) AES256-GCM

Mac: (Message Authentication) SHA384

Windows

View and Modify the Windows Registry Settings for the TLS Cipher Suites:

Code Block
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers

Unset or 0xffffffff DWORD value means the given cipher suite is enabled, 0x0 means it’s disabled.