Apigee deprecating TLS 1.0 and 1.1 - prod and non-prod query

We received a communication saying that Apigee is deprecating TLS 1.0 and 1.1 for Apigee Edge on June 18. Is this change of deprecating TLS 1.0 and 1.1 implemented in Apigee’s non-prod environments? We have consumer applications connecting to proxies in Edge who are not aware if their applications use TLS 1.1 or 1.2. If TLS 1.0/1.1 is already deprecated in non-prod (test env) they would like to test their applications in test environment to see if they still work.

0 6 459
6 REPLIES 6

The notification is for Apigee Cloud only. Are you referring to on-prem edge?

@Naveen Gupta I'm asking about Apigee Edge SaaS on public cloud, not on-prem Edge.

It sounds like you want to do what I did, which is to update your non-production environment's Virtual Host so that it only accepts TLSv1.2, and then when those app's test in non-prod, you will know if they work or not.

Here's how I did it:

First, on my laptop, I used the command '"openssl ciphers TLSv1.2". The output of this command shows a : delimited list of ciphers that are valid in TLSv1.2.

Next I used postman to call the Apigee Management APIs to get the details for my non-production environment's virtual host.

The curl command to get your virtual hosts will look similar to this:

curl -X GET https://api.enterprise.apigee.com/v1/organizations/{ORG}/environments/{ENV}/virtualhosts/{virtualHos...

Now that you have your current definition, you can copy it and use the management API to POST back to the same endpoint, but include an addition property to restrict the ciphers.

In my case, the format for the new property is exactly like this:

"properties": { "property": [ { "name": "ssl_ciphers", "value": "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256:NULL-SHA256" } ] }

Now that my virtual host is only accepting TLSv1.2, I was able to confirm my change works by using a cURL command like this:

curl -X GET https://{myDevURL}/foo --tlsv1.1

The output for this shows "curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure", so I know that it is not accepting TLSv1.1. You can do the same test with "--tlsv1.0" and you should get the same result.

For reference, here is a link to Apigee's docs on virtual host properties:

https://docs.apigee.com/api-platform/fundamentals/virtual-host-property-reference

@Mark Hammelman - thanks much for your answer. However, I was not able to run the openssl command to get the list of ciphers valid for TLSv1.2. Below are my outputs:

```

p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #fafffb; background-color: #000000} span.s1 {font-variant-ligatures: no-common-ligatures}

S283669:~$ openssl ciphers -tls1.2

Error in cipher list

6196:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/ssl/ssl_lib.c:1223:

S283669:~$ openssl ciphers -tls2

Error in cipher list

6197:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/ssl/ssl_lib.c:1223:

```

```openssl ciphers -tls1``` gives a list of ciphers, but then docs at openssl.org says "This lists ciphers compatible with any of SSLv3, TLSv1, TLSv1.1 or TLSv1.2.", so I couldn't be sure.

FYI - the deprecation has been postponed by Apigee for now. I also found out that if you open a case with Apigee they can give you a list of all proxies, IPs and request basepaths that are using protocol < TLSv1.2 for a given period.

However - you method is much more interesting and self-sufficient; so I'd highly appreciate if you could possibly tell me of any reasons why I might be having the error.

Hi @sushobhanmondal,

@Mark Hammelman's answer about SSL worked fine for me so perhaps your open SSL isn't installed correctly or you typed it wrong? Just ensure you are typing it verbatim.

first type "openssl" and hit enter

then type "ciphers TLSv1.2" and hit enter

only type the text above, not the quotes. The result for me is:

ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA256:DHE-DSS-CAMELLIA256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ADH-CAMELLIA256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-CAMELLIA128-SHA256:DHE-DSS-CAMELLIA128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ADH-CAMELLIA128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256:CAMELLIA128-SHA256:NULL-SHA256

Hi @sushobhanmondal, I see you typed the openssl command wrong. The command I gave is correct.

Correct = "openssl ciphers TLSv1.2".

You typed "openssl ciphers -tls1.2".