Forums Cached SuiteTalk

This topic contains 1 reply, has 0 voices, and was last updated by roberth 9 years ago.

  • Author
    Posts
  • November 19, 2015 at 8:49 am #6825

    roberth

    I received the following email from NetSuite. In it they mention “…Older (now outdated) integration clients…” – What specifically does that mean?

    NetSuite to Disable the RC4 cipher for Integrations

    Security is always important at NetSuite. To keep your data safe, we will disable the RC4 cipher for integrations establishing connection to NetSuite. We will disable the RC4 cipher for NetSuite Sandbox on Monday, November 23rd, 2015 at 3am PST. Next month, on Tuesday, December 29, 2015, we will disable the RC4 cipher for NetSuite Production.

    What this means to you

    If your company developed integrations on older (now outdated) integration clients, these integrations might be using the RC4 cipher. Depending on the development environment and language used (examples of languages include Java, Ruby, PHP, .NET, and Python) you might need to upgrade libraries, upgrade client versions, and perhaps even edit the code for some integrations. Discuss this with your development teams and identify the integrations that might be affected. You must create and execute a plan for updating your integration clients before December 28, 2015 to ensure they support ciphers other than the RC4 cipher.

    If you do not update your integrations to communicate using ciphers other than RC4, connections from your integrations will fail the TLS handshake. The RC4 cipher will not be used in TLS fallback negotiations. Disabling the RC4 cipher is in alignment with the industry standards from PCI, ISO, and NIST. Sources of information on the drawbacks of continuing using the RC4 cipher are readily available on the internet.

    Please contact NetSuite Customer Support if you have any questions.

    Thank you,

    The NetSuite Team
    This is a cached copy. Click here to see the original post.

  • November 20, 2015 at 6:54 am #6826

    roberth

    As an update I was unable to get an answer from support (which is becoming increasingly common it seems) so I installed a copy of wireshark and began to sniff the network traffic.

    For anyone who needs to find out, and barring an easier way which I am unaware of, here are the instructions to follow to find out if you’re affected:

    *Note* Wireshark, to my knowledge, has to be installed on the machine you are running the integration(s) onStop your integration
    Install the latest copy of WireShark from wireshark.org
    Double click on your network interface after wireshare starts (may be vmnet1, eth0, local area connection etc )
    In the filter at the top type: ssl (this will filter your traffic to SSL traffic only )
    Click on Edit -> Preferences -> Name Resolution and enable Resolve network (IP) addresses and Resolve transport names as this will make output easier to readYou should now notice IP addresses changing to domain names

    Start your integration and look for webservices.netsuite.com or rest.netsuite.com
    look for a packet with info like: “Server Hello, Certificate, Server Hello Done”
    Expand the Secure Socets Layer section
    Expand the TLSv1.2 Record Layer section
    Expand the handshake protocol: Server Hello section
    Find the Cipher Suite. This is whe type of encryption in use.
    In my case this says TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

    You need to change it if it says:TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA (0xc007)
    TLS_ECDH_RSA_WITH_RC4_128_SHA (0xc00c)
    TLS_ECDH_ECDSA_WITH_RC4_128_SHA (0xc002)
    TLS_RSA_WITH_RC4_128_SHA (0x0005)

  • Author
    Posts

You must be logged in to reply to this topic.