ESET Insiders BDeep 7 Posted April 5, 2016 ESET Insiders Posted April 5, 2016 Any update on when Internet Protection Module 1181 will be released? Looking for TLS 1.2 support.
Administrators Marcos 5,725 Posted April 5, 2016 Administrators Posted April 5, 2016 I'm sorry but I don't understand. TLS 1.2 has been supported for ages. The latest version of the Internet protection module on pre-release servers is 1226.26.
ESET Insiders BDeep 7 Posted April 6, 2016 Author ESET Insiders Posted April 6, 2016 (edited) Referring to this thread: https://forum.eset.com/topic/4234-ssl-inspection-tls-12-support/ Production release, not pre-release, ESET Endpoint Security 6.3.2016.0 is using Internet Protection Module 1173.16 with a build date of 17 March 2016. Visiting https://browsercheck.qualys.com shows that ESET SSL Filter CA verified the site, but stepped the security down to TLS 1.0. Visiting https://browsercheck.qualys.com from an ESET computer not doing SSL inspection shows that the site was verified by Qualsys Inc. and is using TLS 1.2. Edited April 7, 2016 by BDeep
jimwillsher 65 Posted April 7, 2016 Posted April 7, 2016 Correct URL is: https://browsercheck.qualys.com
ESET Insiders BDeep 7 Posted April 7, 2016 Author ESET Insiders Posted April 7, 2016 Correct URL is: https://browsercheck.qualys.com Thanks for correcting my mistake. Updated the post to reflect your correction.
Administrators Marcos 5,725 Posted April 8, 2016 Administrators Posted April 8, 2016 Could you please post a screen shot of the warning you get from Qualys? I don't see any and have EES 6.3 installed and SSL scanning enabled:
ESET Insiders BDeep 7 Posted April 9, 2016 Author ESET Insiders Posted April 9, 2016 Not really an error, per-say. Just that with ESET SSL inspection on, it appears that traffic is stepping down to TLS 1.0. I can fire up Wireshark if you want packet data but the two pictures below might be enough. With SSL inspection off, Chrome reports a TLS 1.2 certificate. With SSl inspection on, Qualys reports a TLS 1.0 certificate signed by ESET.
Administrators Marcos 5,725 Posted April 12, 2016 Administrators Posted April 12, 2016 What operating system did you test it on? It could be a known issue of Schannel which picks a less secure protocol despite getting the information from us that newer ones are supported as well. I tested it on Windows 10 so maybe Microsoft has already addressed that issue.
ESET Insiders BDeep 7 Posted April 12, 2016 Author ESET Insiders Posted April 12, 2016 What operating system did you test it on? It could be a known issue of Schannel which picks a less secure protocol despite getting the information from us that newer ones are supported as well. I tested it on Windows 10 so maybe Microsoft has already addressed that issue. v9_tls12.png Windows 7 32bit Enterprise for the screenshots. I just looked at my 8.1 Enterprise laptop and it shows TLS 1.0 verified by ESET. Both of these machines are domain joined and getting GPOs. In IE, looking at admin-managed settings, I have use "TLS 1.0", "TLS 1.1", and "TLS 1.2" enabled (forced via GPO). Based on this and your reply, if a site only supports 1.2 only, ESET will still establish the connection to site, correct?
ESET Insiders BDeep 7 Posted April 12, 2016 Author ESET Insiders Posted April 12, 2016 Here is a real world example. Our communications folks cannot access Verizon Business Enterprise portal. No SSL inspection: flies without issue. ESET SSL inspection: no access whatsoever. https://myverizonenterprise.verizon.com/. Specifically, the site uses only TLS 1.2 and does not support renegotiation. https://www.ssllabs.com/ssltest/analyze.html?d=myverizonenterprise.verizon.com vec-tls-1.2-update-en_xg.pdf
ESET Insiders BDeep 7 Posted April 15, 2016 Author ESET Insiders Posted April 15, 2016 Hmmm. Crickets. Any updates?
Administrators Marcos 5,725 Posted April 15, 2016 Administrators Posted April 15, 2016 No problems here: Any chance of arranging a remote session and checking it out myself?
ESET Insiders BDeep 7 Posted April 15, 2016 Author ESET Insiders Posted April 15, 2016 (edited) No problems here: verizon1.png verizon2.png Any chance of arranging a remote session and checking it out myself? You still on Windows 10 with that screenshot? This is a 5000+ Windows enterprise with 7 and 8.1 Enterprise editions. Can't just refresh to Windows 10 overnight. Yes on the remote session. Can you PM me or work with me via email to set something up? Edited April 15, 2016 by BDeep
ESET Insiders Solution BDeep 7 Posted April 25, 2016 Author ESET Insiders Solution Posted April 25, 2016 It appears that Internet Protection Module 1226.29 with a build date of 07 April 2016 has been installed. After this program update, the websites mentioned above as well as many others with TLS 1.2 only on Windows 7 and Windows 8.1, are loading correctly. I see the ESET certificate, previously using TLS 1.0 and causing errors, now using TLS 1.2 and loading fine.
Recommended Posts