Developers

ALERT: Disabling support for 3DES Cipher Suites in TLS connections to eliminate a vulnerability

Share this post:

UPDATE: This post has been updated on July 12, 2017. The disabling of 3DES cipher suites was originally scheduled to occur on July 24, 2017. This post has been updated to reflect the current scheduled date of Aug. 7, 2017.

Sharing an important update for Watson Developer Cloud users. The support for 3DES cipher suites in TLS connections made to Watson Developer Cloud services is being disabled on Aug. 7, 2017 to eliminate a vulnerability.

What are 3DES cipher suites and why are they vulnerable?

When making HTTPS connections using the TLS protocol, a cipher suite defines various aspects of how the client and server communicate securely. The cipher suite used for a connection is determined by agreement between the client and server based on the cipher suites supported by each.

A vulnerability, Sweet32, was identified in cipher suites that use the 3DES block cipher algorithm. This vulnerability is exploitable by an attacker who can monitor a long-lived connection between you and a Watson Developer Cloud service and capture around 785GB of traffic.

What Watson Developer Cloud services will this change affect?

Any connection to a Watson Developer Cloud service made through gateway.watsonplatform.net or stream.watsonplatform.net.

Will I be impacted?

In many situations disabling of 3DES cipher suites will be transparent as other cipher suites are supported by Watson Developer Cloud services. However, due to how these services are configured, if your connections are currently using a 3DES cipher suite, they will fail when 3DES cipher suites are disabled.

There are two known situations where you will be impacted:

  • You are using version 3.6.0 or earlier of the OkHttp client library with an IBM Java JRE/SDK. We have identified that using an IBM Java JRE/SDK with older versions of OkHttp results in 3DES cipher suites being used. The issue causing this was addressed in version 3.7.0 of OkHttp. Upgrade to this or a later version and verify that you will not be impacted.
  • You are using version 3.7.0 or earlier of the Watson Developer Cloud SDK with an IBM Java JRE/SDK. We have identified that using an IBM Java JRE/SDK with older versions of the Watson Developer Cloud Java SDK is a common reason 3DES cipher suites are used. The issue causing this was addressed in version 3.8.0 of the Watson Developer Cloud SDK. Upgrade to this or a later version and verify that you will not be impacted. If you are currently using a version earlier than 3.0 there are breaking changes. Review the readme for information on these. Review the changelog to learn about additional minor changes.
    Note: The issue in the older versions of the Watson Developer Cloud SDK is caused by the bundling of an unfixed version of OkHttp.

How can I verify that I will not be impacted?

Connect to your service using gateway-t.watsonplatform.net instead of gateway.watsonplatform.net (or stream-t.watsonplatform.net instead of stream.watsonplatform.net). If you can successfully connect then you will not be impacted.

Important! Use gateway-t.watsonplatform.net or stream-t.watsonplatform.net for testing purposes only.

Note: To reconfigure the Watson Developer Cloud Java SDK to use gateway-t.watsonplatform.net use the setEndPoint method on your service instance to change the hostname. For example:

LanguageTranslator service = new LanguateTranslator();
service.setEndpoint(“https://gateway-t.watsonplatform.net/language-translator/api”);

I’ve determined I will be impacted but I’m not using an older version of OkHttp or the Watson Developer Cloud SDK with an IBM Java JRE/SDK. What do I do?

You need to determine if your client supports one of the following cipher suites:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384*
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384*
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384*
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256*
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384*
TLS_RSA_WITH_AES_256_CBC_SHA256*
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256*
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256*
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256*
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256*
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256*
TLS_RSA_WITH_AES_128_CBC_SHA256*
TLS_RSA_WITH_AES_128_CBC_SHA

*TLS 1.2 only

If your client does not support one of these cipher suites reconfigure your client to enable support for at least one cipher suite or move to a new client that does support one of them. If your client is configured to support one of these and you can’t confirm that you will not be impacted you need to diagnose your connection to determine the cause. Refer to any available documentation for your client to assist with this.

Follow up and questions

Any  questions or problems, please contact support.

UPDATE: This post has been updated on July 12, 2017. The disabling of 3DES cipher suites was originally scheduled to occur on July 24, 2017. This post has been updated to reflect the current scheduled date of August 7, 2017.

Watson Secure Engineering Unit Lead IBM Watson and Cloud Platform

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More Developers stories
April 18, 2018

Manage procurement contracts with less effort, more accuracy with Watson Compliance Assist

Contracts are often thought of as large files which are created, signed and then filed away until there is cause for renewal, termination, legal action or to justify payment. AI platforms like Watson transform contracts from stand-alone, static forms into integrated, "living" entities that contribute to a knowledge base.

Continue reading

April 12, 2018

Forrester Names IBM a Leader in Conversational Computing Platforms Wave

We are pleased to announce that in “The Forrester New Wave™: Conversational Computing Platforms, Q2 2018,”[1] IBM Watson Assistant is named as a Leader in conversational computing. It has become increasingly important for businesses to build engaging interactions that deliver value to their customers, and IBM is proud to offer technologies that help developers and […]

Continue reading

April 9, 2018

Driving faster, more accurate and more beneficial tax decisions

With Watson, KPMG tax professionals have access to a powerful solution that frees them to focus on the qualitative documentation which defines a project, helping to transform and enhance the accuracy, speed and ROI in generating qualified tax credits for their clients.

Continue reading