Developers

ALERT: Disabling support for 3DES Cipher Suites in TLS connections to eliminate a vulnerability

Share this post:

UPDATE: This post has been updated on July 12, 2017. The disabling of 3DES cipher suites was originally scheduled to occur on July 24, 2017. This post has been updated to reflect the current scheduled date of Aug. 7, 2017.

Sharing an important update for Watson Developer Cloud users. The support for 3DES cipher suites in TLS connections made to Watson Developer Cloud services is being disabled on Aug. 7, 2017 to eliminate a vulnerability.

What are 3DES cipher suites and why are they vulnerable?

When making HTTPS connections using the TLS protocol, a cipher suite defines various aspects of how the client and server communicate securely. The cipher suite used for a connection is determined by agreement between the client and server based on the cipher suites supported by each.

A vulnerability, Sweet32, was identified in cipher suites that use the 3DES block cipher algorithm. This vulnerability is exploitable by an attacker who can monitor a long-lived connection between you and a Watson Developer Cloud service and capture around 785GB of traffic.

What Watson Developer Cloud services will this change affect?

Any connection to a Watson Developer Cloud service made through gateway.watsonplatform.net or stream.watsonplatform.net.

Will I be impacted?

In many situations disabling of 3DES cipher suites will be transparent as other cipher suites are supported by Watson Developer Cloud services. However, due to how these services are configured, if your connections are currently using a 3DES cipher suite, they will fail when 3DES cipher suites are disabled.

There are two known situations where you will be impacted:

  • You are using version 3.6.0 or earlier of the OkHttp client library with an IBM Java JRE/SDK. We have identified that using an IBM Java JRE/SDK with older versions of OkHttp results in 3DES cipher suites being used. The issue causing this was addressed in version 3.7.0 of OkHttp. Upgrade to this or a later version and verify that you will not be impacted.
  • You are using version 3.7.0 or earlier of the Watson Developer Cloud SDK with an IBM Java JRE/SDK. We have identified that using an IBM Java JRE/SDK with older versions of the Watson Developer Cloud Java SDK is a common reason 3DES cipher suites are used. The issue causing this was addressed in version 3.8.0 of the Watson Developer Cloud SDK. Upgrade to this or a later version and verify that you will not be impacted. If you are currently using a version earlier than 3.0 there are breaking changes. Review the readme for information on these. Review the changelog to learn about additional minor changes.
    Note: The issue in the older versions of the Watson Developer Cloud SDK is caused by the bundling of an unfixed version of OkHttp.

How can I verify that I will not be impacted?

Connect to your service using gateway-t.watsonplatform.net instead of gateway.watsonplatform.net (or stream-t.watsonplatform.net instead of stream.watsonplatform.net). If you can successfully connect then you will not be impacted.

Important! Use gateway-t.watsonplatform.net or stream-t.watsonplatform.net for testing purposes only.

Note: To reconfigure the Watson Developer Cloud Java SDK to use gateway-t.watsonplatform.net use the setEndPoint method on your service instance to change the hostname. For example:

LanguageTranslator service = new LanguateTranslator();
service.setEndpoint(“https://gateway-t.watsonplatform.net/language-translator/api”);

I’ve determined I will be impacted but I’m not using an older version of OkHttp or the Watson Developer Cloud SDK with an IBM Java JRE/SDK. What do I do?

You need to determine if your client supports one of the following cipher suites:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384*
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384*
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384*
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256*
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384*
TLS_RSA_WITH_AES_256_CBC_SHA256*
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256*
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256*
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256*
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256*
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256*
TLS_RSA_WITH_AES_128_CBC_SHA256*
TLS_RSA_WITH_AES_128_CBC_SHA

*TLS 1.2 only

If your client does not support one of these cipher suites reconfigure your client to enable support for at least one cipher suite or move to a new client that does support one of them. If your client is configured to support one of these and you can’t confirm that you will not be impacted you need to diagnose your connection to determine the cause. Refer to any available documentation for your client to assist with this.

Follow up and questions

Any  questions or problems, please contact support.

UPDATE: This post has been updated on July 12, 2017. The disabling of 3DES cipher suites was originally scheduled to occur on July 24, 2017. This post has been updated to reflect the current scheduled date of August 7, 2017.

Watson Secure Engineering Unit Lead IBM Watson and Cloud Platform

More Developers stories
June 21, 2018

How AI is helping Autodesk transform their procurement processes

Autodesk is developing Autodesk Contract Explorer (ACE), using Watson Compare & Comply. Compare & Comply is trained on contract structure and language – and it contextually understands PDFs, the documents of business.

Continue reading

June 20, 2018

Box and IBM Watson unveil new skills to power intelligent enterprise cloud content management

IBM and Box are excited to announce the availability of a new service offering to help organizations build custom Box Skills that apply Watson AI technologies to the Box Skills framework.

Continue reading

June 15, 2018

IBM Watson Studio named winner for best innovation in deep learning

We're thrilled to share that IBM Watson Studio was named winner for the "Best innovation in Deep Learning" at the world-renowned, independently-judged AIconics awards in London this week. IBM won the award for "being a pioneer in deep learning, helping to drive machine learning applications towards the true potential of AI."

Continue reading