Home → Questions →

TLS 1.2 upgrade question

• Edit

Ka Wai Cheung

26 Jun, 2018 10:47 PM

With the TLS 1.2 upgrade on Friday, is it fair to say that nothing with the getcheddar.com endpoint is changing because it's already only allowing TLS 1.2+ and the only technical updates being made are to the cheddargetter.com domain? I just want to be sure there isn't any subtle update happening with getcheddar.com that might inadvertently trigger something unanticipated.

Thanks!
-Ka Wai

1. Support Staff 1 Posted by Meghan Turner on 26 Jun, 2018 10:56 PM

   

   Hey Ka Wai,

   I want to check with the dev team, but I think you're correct that the only changes are being made to the cheddargetter.com domain since Getcheddar.com is already configured to only accept requests using 1.2.

   I'll confirm that with the dev team, though, and let you know what I hear from them in the morning!

   Meghan

   • Edit

2. Support Staff 2 Posted by Marc Guyer on 27 Jun, 2018 11:16 AM

   

   Hi Ka Wai -- You're correct. No config changes will be made to getcheddar.com SSL connections. We'll be removing support for TLS v1.0 and v1.1 along with some old ciphers only from the cheddargetter.com config. The two are managed within the same load balancer environment, however, so it's theoretically possible that the getcheddar.com connections could be affected, albeit unlikely. The config change I'll be making is instantaneous. No reboots or anything like that and the change is very simple to roll back in the event of any adverse condition created by the change.

   I was doing some digging yesterday and found that your product with code=KIN_LIVE is connecting over TLS 1.0. Here's an example log entry:

   Jun 27 10:15:52 w02 apache:  cheddargetter.com:80 "34.194.55.101" [email blocked] [27/Jun/2018:10:15:51 +0000] "POST /xml/customers/set-item-quantity/productCode/KIN_LIVE/code/567c2637-4e95-4b8b-aee1-5d89343fd278/itemCode/DISCOUNT_ONE_ACTIVE_USERS HTTP/1.1" 200 62813 "-" "-" 1200483 4194304 "SSL_RSA_WITH_AES_256_CBC_SHA, version=TLSv1, bits=256"
   

   The bit at the end shows use of the SSL_RSA_WITH_AES_256_CBC_SHA cipher over TLSv1. That cipher will remain available but TLSv1 will not. The KIN_LIVE app in this case is connecting to the cheddargetter.com domain. I know Meghan is planning this morning to notify those that are still connecting over v1 or v1.1 but I thought I'd take this opportunity to give you a heads-up. Can you make the change to KIN_LIVE before Friday?

   • Edit

3. 3 Posted by Ka Wai Cheung on 27 Jun, 2018 01:23 PM

   

   Thanks Marc-

   I will pass that info along. Since you’re there, can you see if there are any tls 1.0 calls being made from the “DoneDone” or “DoneDone (TEST)” products tied to my account?

   We made the switch to use getcheddar.com exclusively last month but just want to make sure things are connecting over tls 12 as expected on your end.

   Thanks!
   Ka Wai

   • Edit

4. Support Staff 4 Posted by Marc Guyer on 27 Jun, 2018 07:08 PM

   

   Both of those are connecting over TLS1.2. You're all set there.

   • Edit

5. 5 Posted by Ka Wai Cheung on 27 Jun, 2018 08:25 PM

   

   Great thanks Marc.

   • Edit

6. Marcela Poffald closed this discussion on 28 Jun, 2018 03:42 PM.