TrackAbout HTTPS Connections and Outdated Encryption Ciphers
The Problem
Your ERP or other systems cannot establish a secure connection to TrackAbout over HTTPS.
The Cause
One potential cause of HTTPS connection problems with TrackAbout is that your system may be using outdated encryption ciphers.
What is an Encryption Cipher?
When a client system attempts to connect to a server using the HTTPS protocol, a TLS handshake process occurs. This process involves validating the server's certificate and agreeing upon encryption cipher and signature algorithms to be used to secure the communication.
As of 08/26/2024, TrackAbout supports the following ciphers:
-
TLS_AES_128_GCM_SHA256
-
TLS_AES_256_GCM_SHA384
-
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
-
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
To check if you are using a supported cipher, contact TrackAbout Support.
How Does This Happen?
From time to time, TrackAbout upgrades its web services to add newer, more secure ciphers. At the same time, we remove support for ciphers known to be obsolete or less secure. Since these changes have the potential to cause connection failures for our customers, we always communicate our intentions long in advance of the change.
Why does TrackAbout update encryption ciphers?
Over time, encryption and signature algorithms become compromised. Weaknesses are discovered, sometimes published, sometimes not. These weaknesses are often exploited to exfiltrate sensitive data and compromise businesses.
Once an algorithm is known to be compromised, it must be considered unsafe to use. It can no longer be trusted to adequately protect the contents of the communication.
After we update, the next time your system tries to connect with TrackAbout it should automatically negotiate and choose a secure cipher. If your system cannot connect, it could mean your operating system or other software on the system is limited to using only outdated encryption ciphers that are no longer compatible with those used by TrackAbout.
This can happen if...
-
The operating system, software, or Java runtimes haven’t been updated regularly or recently.
-
Updates are no longer available for the system or software but it is still in use.
-
The operating system and other client software is up-to-date, but through configuration, more secure ciphers are not allowed to be used.
The Solution
The best, and recommended, solution is that you regularly update your systems so they are using the latest versions of software, operating system, and Java runtime. This will ensure your systems have the newest, most secure encryption ciphers available to communicate with other systems over the internet.
However, if keeping a system’s software updated is impractical or impossible, you can use TLS encryption proxy software to act as a secure communication middle-man between your system and TrackAbout.
How It Works
One system communicates with the TLS encryption proxy software, which then passes the communication on to the second system. Since the systems are communicating with the proxy and not directly to each other, the systems do not have to use the same encryption cipher to securely talk to each other. Each system uses their preferred cipher with the proxy. This allows systems with older ciphers to talk to systems with newer ciphers, while keeping the entire communication encrypted.
We recommend the use of a common open source tool named stunnel. It is available for all major operating systems, and supports secure communication using a broad variety of encryption cyphers.
Using stunnel with TrackAbout
The following walks you through installing and running stunnel, changing the URL or endpoint to which your system connects, and instructing stunnel to connect to TrackAbout.
WARNING
The following information and instructions are provided as general guidelines and may not work for your particular setup. Before installing and using stunnel, we encourage you to read the stunnel documentation and adapt the instructions as needed.
Download
Download the appropriate version of stunnel from the official stunnel site.
NOTE
Make sure the version of stunnel you are installing supports the ciphers required — contact TrackAbout Support for assistance.
Install
Install and run stunnel as a local service on your server.
NOTE
If practical, it is recommended you install and run stunnel on the ERP or other system that is connecting to TrackAbout. This keeps the lower-security communication on a single machine and off of the local area network.
If the system connecting to TrackAbout can’t compile or run the version of stunnel available through the package manager, you may need to install stunnel on a secondary system with an up-to-date operating system. Using older versions of stunnel is not recommended.
Linux — On most distributions, stunnel is easily installed using the native package manager, such as apt or yum. By default stunnel does not automatically install itself as a service using systemd or systemctl and you will need to do this part yourself.
Windows — stunnel can be used to install itself as a Windows system service by running stunnel -install once a configuration file is created.
Modify HOSTS File Entries
Modifying your /etc/hosts file (c:\Windows\System32\drivers\etc\hosts on Windows) is optional, and it is better if you do not have to do this. But in some cases, it is needed.
If your client software (ERP, etc.) has the ability to set the HTTP Host: header when calling the TrackAbout API, then you do not need to modify the hosts file. Instead, make sure each HTTP request has the Host: header set to the target server, either www.trackabout.com for Production or test.trackabout.com for Test.
If you cannot modify the client software to properly set the HTTP Host header, then this HOSTS file change is required.
Before proceeding, you should fully understand what modifying the HOSTS file does within your operating system. The HOSTS file overrides the DNS system for host entries made in the file. Making this change means all requests to www.trackabout.com or test.trackabout.com on the system (including web browsers) will be routed to the stunnel service's IP address.
Add this line to the HOSTS file. It doesn't matter where in the file.
Edit stunnel.conf
Before starting the stunnel service, you must create a stunnel.conf file that is specific to your environment, following the appropriate example below.
-
On Linux, this is typically in /etc/stunnel/stunnel.conf
-
On Windows, it is probably in C:\Program Files (x86)\stunnel\config
Example stunnel.conf if you haven’t changed your HOSTS file (preferred implementation)
; Optional: specify the location of stunnel's log file
; Change to an appropriate directory for Windows.
output = /var/log/stunnel.log
; Optional: specify the level of logging. 3 is fine for normal use.
debug = 3
[trackabout]
client = yes
accept = 127.0.0.1:8443
connect = www.trackabout.com:443
sslVersion = TLSv1.2
sni = www.trackabout.com
ciphers = HIGH:!aNULL:!MD5
; Set timeout options to handle idle connections
TIMEOUTidle = 60
TIMEOUTclose = 0
[trackabout-test]
client = yes
accept = 127.0.0.1:8444
connect = test.trackabout.com:443
sslVersion = TLSv1.2
sni = test.trackabout.com
ciphers = HIGH:!aNULL:!MD5
; Set timeout options to handle idle connections
TIMEOUTidle = 60
TIMEOUTclose = 0
Example stunnel.conf IF AND ONLY IF you have to change your HOSTS file (NOT THE IDEAL)
; Optional: specify the location of stunnel's log file
; Change to an appropriate directory for Windows.
output = /var/log/stunnel.log
; Optional: specify the level of logging. 3 is fine for normal use.
debug = 3
[trackabout]
client = yes
accept = 127.0.0.1:8443
connect = ta-appgateway-pip.eastus2.cloudapp.azure.com:443
sslVersion = TLSv1.2
sni = www.trackabout.com
ciphers = HIGH:!aNULL:!MD5
; Set timeout options to handle idle connections
TIMEOUTidle = 60
TIMEOUTclose = 0
[trackabout-test]
client = yes
accept = 127.0.0.1:8444
connect = ta-appgateway-pip.eastus2.cloudapp.azure.com:443
sslVersion = TLSv1.2
sni = test.trackabout.com
ciphers = HIGH:!aNULL:!MD5
; Set timeout options to handle idle connections
TIMEOUTidle = 60
TIMEOUTclose = 0
With the config file saved, you may now start the stunnel service.
NOTES
-
How the service is started is dependent on the operating system.
-
You can run it from the command line during testing, but you should install it as a system service for production use.
Check the logs after starting the service to make sure it's logging.
Test the Connection
To test the connection, you may use a simple command line tool such as curl or wget to request a page through the stunnel proxy.
If you did not make a hosts file change, then this curl command should work:
If you did make a hosts file change, then this curl command should work:
Modify the Client Application
After testing the proxy connection, you must modify how your application connects to TrackAbout.
How you change your client application depends on whether you made the hosts file change noted above.
-
If your application can set the HTTP Host header itself, then your application will automatically connect the proxy at http://127.0.0.1:8443 instead of directly to TrackAbout at https://www.trackabout.com or https://test.trackabout.com.
-
If you made the hosts change, then simply change the TrackAbout endpoint from...
https://www.trackabout.com
...to...
http://www.trackabout.com:8443
...and likewise for the Test environment (but on port 8444).
Increasing Security
After the proxy is in place and working, you may notice that your application is now connecting to stunnel over an unencrypted connection. Assuming both are on the same system, you can make a determination as to whether this is acceptable from a security standpoint. It is possible to increase the security between your application and stunnel if desired as outlined in the official stunnel documentation by using self-signed certificates.
