ALERT: Disabling support for 3DES Cipher Suites in TLS connections to eliminate a vulnerability
By Daniel Cox | 4 minute read | June 14, 2017
UPDATE: This post has been updated on July 12, 2017. The disabling of 3DES cipher suites was originally scheduled to occur on July 24, 2017. This post has been updated to reflect the current scheduled date of Aug. 7, 2017.
Sharing an important update for Watson Developer Cloud users. The support for 3DES cipher suites in TLS connections made to Watson Developer Cloud services is being disabled on Aug. 7, 2017 to eliminate a vulnerability.
What are 3DES cipher suites and why are they vulnerable?
When making HTTPS connections using the TLS protocol, a cipher suite defines various aspects of how the client and server communicate securely. The cipher suite used for a connection is determined by agreement between the client and server based on the cipher suites supported by each.
A vulnerability, Sweet32, was identified in cipher suites that use the 3DES block cipher algorithm. This vulnerability is exploitable by an attacker who can monitor a long-lived connection between you and a Watson Developer Cloud service and capture around 785GB of traffic.
What Watson Developer Cloud services will this change affect?
Any connection to a Watson Developer Cloud service made through gateway.watsonplatform.net or stream.watsonplatform.net.
Will I be impacted?
In many situations disabling of 3DES cipher suites will be transparent as other cipher suites are supported by Watson Developer Cloud services. However, due to how these services are configured, if your connections are currently using a 3DES cipher suite, they will fail when 3DES cipher suites are disabled.
There are two known situations where you will be impacted:
- You are using version 3.6.0 or earlier of the OkHttp client library with an IBM Java JRE/SDK. We have identified that using an IBM Java JRE/SDK with older versions of OkHttp results in 3DES cipher suites being used. The issue causing this was addressed in version 3.7.0 of OkHttp. Upgrade to this or a later version and verify that you will not be impacted.
- You are using version 3.7.0 or earlier of the Watson Developer Cloud SDK with an IBM Java JRE/SDK. We have identified that using an IBM Java JRE/SDK with older versions of the Watson Developer Cloud Java SDK is a common reason 3DES cipher suites are used. The issue causing this was addressed in version 3.8.0 of the Watson Developer Cloud SDK. Upgrade to this or a later version and verify that you will not be impacted. If you are currently using a version earlier than 3.0 there are breaking changes. Review the readme for information on these. Review the changelog to learn about additional minor changes.
Note: The issue in the older versions of the Watson Developer Cloud SDK is caused by the bundling of an unfixed version of OkHttp.
How can I verify that I will not be impacted?
Connect to your service using gateway-t.watsonplatform.net instead of gateway.watsonplatform.net (or stream-t.watsonplatform.net instead of stream.watsonplatform.net). If you can successfully connect then you will not be impacted.
Important! Use gateway-t.watsonplatform.net or stream-t.watsonplatform.net for testing purposes only.
Note: To reconfigure the Watson Developer Cloud Java SDK to use gateway-t.watsonplatform.net use the setEndPoint method on your service instance to change the hostname. For example:
LanguageTranslator service = new LanguateTranslator();
I’ve determined I will be impacted but I’m not using an older version of OkHttp or the Watson Developer Cloud SDK with an IBM Java JRE/SDK. What do I do?
You need to determine if your client supports one of the following cipher suites:
*TLS 1.2 only
If your client does not support one of these cipher suites reconfigure your client to enable support for at least one cipher suite or move to a new client that does support one of them. If your client is configured to support one of these and you can’t confirm that you will not be impacted you need to diagnose your connection to determine the cause. Refer to any available documentation for your client to assist with this.
Follow up and questions
Any questions or problems, please contact support.
UPDATE: This post has been updated on July 12, 2017. The disabling of 3DES cipher suites was originally scheduled to occur on July 24, 2017. This post has been updated to reflect the current scheduled date of August 7, 2017.