Friday, January 26, 2018

Microsoft Dynamics GP and TLS 1.0

Is not too often that you will hear me saying anything negative about my beloved Microsoft Dynamics GP, but it is quite disheartening, to say the least, to see Microsoft not addressing the industry move away from TLS 1.0 as it relates to Dynamics GP.

Background

TLS or Transport Layer Security protocol provides privacy and data integrity between applications wishing to exchange data. TLS ensures that the connection is private, because it uses symmetric keys to encrypt the data between the parties; the identity of the communicating parties can be authenticated via some public key; and the connection ensures some level of message integrity, because there's a message integrity check via a message authentication code.

As you would expect, TLS 1.0, 1.1, 1.2, 1.3 (draft), etc., are simply, progressive implementations, albeit with substantial differences that in some cases preclude interoperability between versions, of the same protocol. What is key however to this discussion is the age of each. For example, TLS 1.0 has been around since 1999, so suffice to say, that's extremely Mesozoic in technology years.

Acknowledging the security risks faced by companies and business applications still relying on TLS 1.0, the PCI Council voted to end support for TLS 1.0 as June 30, 2016. However, on December 15, 2015, they backtracked and extended the deadline to June 30, 2018.

You can read the full details in this PCI Council blog article:

Date Change for Migrating from SSL and Early TLS

Microsoft Dynamics GP

At this point, it's safe to assume you see the impact this has on Microsoft Dynamics GP, but I will summarize the list of applications that are currently impacted by this:

  • Web Services for Microsoft Dynamics GP
  • Business Portal for Microsoft Dynamics GP (it relies on Web Services)
  • Web Client (both Silverlight and HTML5 clients)
  • Service Based Architecture

Edit: If you disable TLS 1.0 in IIS, for example, none of the above services will be able to authenticate and communicate to Microsoft Dynamics GP. 

This problem even affects the newly minted GP 2018.

See Also


Until next post,

MG.-
Mariano Gomez, MVP

4 comments:

Tim Wappat said...

I was going to ask what the issue was, now seen the edit in the post. But still not much meat on this post as to what technically the root issue that needs addressing is in relation to GP.

Would be interested in what actually happens and why it fails if TLS 1.0 is revoked and what kind of thing MS need to do to address it.


thanks,
Tim

Beat BUCHER said...

Thanks Mariano from shedding some light on a pretty obscure protocol that no one thinks about until it's suddenly gone.
A similar thing happened to me recently as on old .DLL from Microsoft that was used unchanged since 1998 suddenly got updated thru the regular channel (WSUS) and put a halt on applications that were relying on it :-(
This sounds very much like the right hand doesn't know what the left hand is doing.. they don't even talk each other!
Phil Massey posted a related concern on LinkedIn too :
https://is.gd/KBHSG9
Someone should talk to MS and raise the issue and how this is going to be fixed..

Anonymous said...

Hello all, just wanted to chime in to point the discussion to a blog post I posted today regarding this issue. Feel free to reach out to me if you have any other questions or concerns about this.

https://community.dynamics.com/gp/b/dynamicsgp/archive/2018/02/16/dynamics-gp-and-tls-1-0

Dan P.
Microsoft Dynamics GP Support

Mariano Gomez said...

Dan,

Thanks so much for the update. I really appreciate it and all things being fair, I will post an update pointing to your article.

Best regards,

MG.-