TLS 1.1 removal and disabling of weak cipher suites
At the moment, Bosch IoT Insights still supports the TLS version 1.1.
Our goal is to always offer an up-to-date and secure service for the device communication. However, the TLS version 1.1 has been considered insecure. (IETF)
Consequences
If your devices or applications still use the TLS version 1.1, they will no longer be able to connect to Bosch IoT Insights after october 2021.
As a customer having a paid plan §15.3 Changes of the Service and the Terms and Conditions of the SaaS Terms and Conditions applies [2]: “[…] If Customer does not object within 30 days of receipt of the notification and continues to use the Service after expiry of the period for objection, then the changes shall be deemed to have been effectively agreed as from the expiry date of the time limit. In the event of an objection, the contractual relationship shall be continued subject to the conditions applying hitherto. If an objection is raised, Provider is entitled to terminate the contractual relationship subject to a one (1) month’ notice period.”
Our API will only support the following cipher suites and therefore only TLS1.2 or higher:
TLS Version | Cipher Suite Name (IANA/RFC) | Hex | KeyExch. | Auth. | Encryption | Bits | Cipher Suite Name (OpenSSL) |
---|---|---|---|---|---|---|---|
TLSv1.2 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 0xc030 | ECDHE | RSA | AES-GCM | 256 | ECDHE-RSA-AES256-GCM-SHA384 |
TLSv1.2 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 0xc02f | ECDHE | RSA | AES-GCM | 128 | ECDHE-RSA-AES128-GCM-SHA256 |
TLSv1.2 | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 0xcca8 | ECDHE | RSA | CHACHA20-POLY1305 | 256 | ECDHE-RSA-CHACHA20-POLY1305-SHA256 |
TLSv1.2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 0xc028 | ECDHE | RSA | AES | 256 | ECDHE-RSA-AES256-SHA384 |
TLSv1.2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 0xc014 | ECDHE | RSA | AES | 256 | ECDHE-RSA-AES256-CBC-SHA |
TLSv1.2 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 0xc027 | ECDHE | RSA | AES | 128 | ECDHE-RSA-AES128-SHA256 |
TLSv1.2 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 0xc013 | ECDHE | RSA | AES | 128 | ECDHE-RSA-AES128-CBC-SHA |
Support
For testing purposes, we offer an endpoint with the future TLS policy. Please note, that this is only a temporary testing environment.
As soon as we apply the TLS policy to the standard endpoints, the testing environment will be shut down.
You should therefore not connect any productive devices to these test endpoints. If you have any problems when testing, please let us know.
The test endpoint with the future TLS version and ciphers is as follows:
https://www.tlscheck-bosch-iot-insights.com
Depending from the response you can see if a TLS1.2 connection does work or not with your client.
For your help have a look into following table:
Successfully responses | Failing responses |
---|---|
HTTP status 200 (optional with HTML page) | curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure |
HTTP status 405 (optional with HTML page) |
If you have any further questions, do not hesitate to contact us.