Developers

ALERT: Disabling support for 3DES Cipher Suites in TLS connections to eliminate a vulnerability

Share this post:

UPDATE: This post has been updated on July 12, 2017. The disabling of 3DES cipher suites was originally scheduled to occur on July 24, 2017. This post has been updated to reflect the current scheduled date of Aug. 7, 2017.

Sharing an important update for Watson Developer Cloud users. The support for 3DES cipher suites in TLS connections made to Watson Developer Cloud services is being disabled on Aug. 7, 2017 to eliminate a vulnerability.

What are 3DES cipher suites and why are they vulnerable?

When making HTTPS connections using the TLS protocol, a cipher suite defines various aspects of how the client and server communicate securely. The cipher suite used for a connection is determined by agreement between the client and server based on the cipher suites supported by each.

A vulnerability, Sweet32, was identified in cipher suites that use the 3DES block cipher algorithm. This vulnerability is exploitable by an attacker who can monitor a long-lived connection between you and a Watson Developer Cloud service and capture around 785GB of traffic.

What Watson Developer Cloud services will this change affect?

Any connection to a Watson Developer Cloud service made through gateway.watsonplatform.net or stream.watsonplatform.net.

Will I be impacted?

In many situations disabling of 3DES cipher suites will be transparent as other cipher suites are supported by Watson Developer Cloud services. However, due to how these services are configured, if your connections are currently using a 3DES cipher suite, they will fail when 3DES cipher suites are disabled.

There are two known situations where you will be impacted:

  • You are using version 3.6.0 or earlier of the OkHttp client library with an IBM Java JRE/SDK. We have identified that using an IBM Java JRE/SDK with older versions of OkHttp results in 3DES cipher suites being used. The issue causing this was addressed in version 3.7.0 of OkHttp. Upgrade to this or a later version and verify that you will not be impacted.
  • You are using version 3.7.0 or earlier of the Watson Developer Cloud SDK with an IBM Java JRE/SDK. We have identified that using an IBM Java JRE/SDK with older versions of the Watson Developer Cloud Java SDK is a common reason 3DES cipher suites are used. The issue causing this was addressed in version 3.8.0 of the Watson Developer Cloud SDK. Upgrade to this or a later version and verify that you will not be impacted. If you are currently using a version earlier than 3.0 there are breaking changes. Review the readme for information on these. Review the changelog to learn about additional minor changes.
    Note: The issue in the older versions of the Watson Developer Cloud SDK is caused by the bundling of an unfixed version of OkHttp.

How can I verify that I will not be impacted?

Connect to your service using gateway-t.watsonplatform.net instead of gateway.watsonplatform.net (or stream-t.watsonplatform.net instead of stream.watsonplatform.net). If you can successfully connect then you will not be impacted.

Important! Use gateway-t.watsonplatform.net or stream-t.watsonplatform.net for testing purposes only.

Note: To reconfigure the Watson Developer Cloud Java SDK to use gateway-t.watsonplatform.net use the setEndPoint method on your service instance to change the hostname. For example:

LanguageTranslator service = new LanguateTranslator();
service.setEndpoint(“https://gateway-t.watsonplatform.net/language-translator/api”);

I’ve determined I will be impacted but I’m not using an older version of OkHttp or the Watson Developer Cloud SDK with an IBM Java JRE/SDK. What do I do?

You need to determine if your client supports one of the following cipher suites:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384*
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384*
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384*
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256*
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384*
TLS_RSA_WITH_AES_256_CBC_SHA256*
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256*
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256*
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256*
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256*
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256*
TLS_RSA_WITH_AES_128_CBC_SHA256*
TLS_RSA_WITH_AES_128_CBC_SHA

*TLS 1.2 only

If your client does not support one of these cipher suites reconfigure your client to enable support for at least one cipher suite or move to a new client that does support one of them. If your client is configured to support one of these and you can’t confirm that you will not be impacted you need to diagnose your connection to determine the cause. Refer to any available documentation for your client to assist with this.

Follow up and questions

Any  questions or problems, please contact support.

UPDATE: This post has been updated on July 12, 2017. The disabling of 3DES cipher suites was originally scheduled to occur on July 24, 2017. This post has been updated to reflect the current scheduled date of August 7, 2017.

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More Developers Stories
December 12, 2017

3 types of business chatbots you can build

No matter what type of bot you decide to build, it is important to give your bot some life and personality, make it useful, and make sure it’s easy to use. Our blog highlights the top three chatbots you can build for your business.

Continue reading

December 4, 2017

Freedom and flexibility with Speech-to-Text

When it comes to speech-to-text solutions, an out-of-the-box service isn't enough. IBM Watson's Speech-to-Text service helps provide the tooling and functionality to train Watson to learn your business.

Continue reading

December 1, 2017

The future of AI Revenue: Top 10 use cases for AI in the next decade

6 AI segments will account for a significant change in revenue for AI enterprise software. These functional areas are applicable to many use cases, industries, and generate benefits for both businesses and individuals. Here are the top ten use cases which will reap financial rewards for AI technology product and service companies, and a broad spectrum of benefits for everyone else.

Continue reading