23/12/2015: This release went live on 23rd December at 10 am without any customer impact reported.
In order to be up to date with the latest security recommendations, we’ve taken the necessary steps to improve our SSL settings. In the majority of cases these changes will be seamless however in our experience, such changes can cause issues with older systems that do not support the latest algorithms etc. To avoid any downtime we’ve taken the decision to schedule these changes and give customers advance notice wherever possible. In addition we’ve created a fully live test system to allow customers verify the proposed SSL settings will work with their clients before we implement them. In addition, our support team is always on hand to assist customers with any technical queries, you may contact them at support at cartell dot ie.
- Disable RC4 cipher suite – Reason: RC4 was used to mitigate the BEAST attack on TLS 1.0 and CBC suites, so it quickly got momentum in being adopted as a security measure. Unfortunately, significant exploits on have been possible on RC4, rendering it weak, with support for it being dropped.
- Disable SSLv3 – Reason: Due to attacks such as the POODLE attack browser support for SSLV3 has been disabled by many vendors.
- Reissue current HTTPS certificate with SHA256 signature and SHA256 CA intermediaries. Requires Symantec Class 3 Secure Server CA – G4. See CA Intermediaries error. Reason: Older 128 bit keys are now considered weak and should be replaced.
Cartell SSL Test Service (23/12/2015 Disabled)
We have configured a new SSL endpoint so these upcoming changes can be tested. This machine has the following configuration:
- SSLv3 disabled
- HTTPS certificate is reissued and makes use of a new CA cert
- SSL cipher list has been updated to include improved ciphers.
In order to test, on test systems you will need to update your hosts file to include a manual entry for www.cartell.ie. The IP for this entry can be determined by pinging ssltest.cartell.ie.
Please note: Do not use this endpoint in production. The test machine is available only from Monday to Friday, between 09:00-18:00, and changes its IP address every day. It is required to ping ssltest.cartell.ie every day in order to get the updated IP address.
Common SSL Issues
The following issues have been reported to us from customers using legacy Java systems.
DH Keypair
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
Caused by: java.lang.RuntimeException: Could not generate DH keypair
Caused by: java.security.InvalidAlgorithmParameterException: Prime size must be multiple of 64, and can only range from 512 to 1024 (inclusive)
Explanation: In older java clients, values larger than 1024 bits for the DH keypair are not supported.
Solution We are currently forcing it on our side to 1024 bits. This may change in a future update.
CA Intermediaries
IO Error when comunicating with cartell sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Explanation: There is a missing or invalid CA certificate from your local Trusted CA Store.
Solution Download and install Symantec Class 3 Secure Server CA – G4, Secondary Intermediate CA