TLS 1.0 and 1.1 support for Insight solutions End-of-Life announcement
Beginning November 4th, 2019, Rapid7 will disable the TLS 1.0 and TLS 1.1 encryption protocols across all of our Insight Cloud products, including:
- InsightVM, including on-premises Security Console and cloud features
- InsightIDR
- InsightAppSec
- InsightOps
- InsightConnect
- tCell
- Logentries
Rapid7 Will Disable TLS 1.0 and 1.1
Rapid7 will disable the TLS 1.0 and TLS 1.1 encryption protocols used for encryption-in-transit for all public Insight Cloud endpoints, including https://insight.rapid7.com/. Only TLS v1.2 will be supported.
Impact
Any inbound connections to the Rapid7 Insight Cloud Platform that rely on TLS 1.0 or TLS 1.1 will fail. Only TLS 1.2 will be supported. This includes connections from web browsers and API clients.
Recent web browsers will most likely be unaffected. TLS 1.2 is supported by every major browser released since 2014.
Impact on InsightVM Security Console API
If you use the InsightVM Security Console API, you will need to ensure that your integration supports TLS 1.2. Java 8+ and .NET 4.6+ support TLS 1.2 by default.
Things You Need to Do
For the majority of customers, no action is necessary. However, if you have older components, you may need to upgrade. Please review the next section for specific details.
Update Older Versions of InsightOps Agents
If you are an InsightOps user and you use the Insight Agent to collect logs, you need to ensure you have agent version 2.0.1.9 (1541539423) or newer installed. This version was released November 8, 2018. Starting December 4, 2019, agents older than 2.0.1.9 will no longer be able to send logs to InsightOps.
Test for Impact
To test your connection, you can connect to one of our TLS 1.2 endpoints, https://data.insight.rapid7.com. If the connection is successful you’ll see a "Success!" message. If your client does not support TLS 1.2, you’ll receive an error message from your client.
Timeline of Events for Insight Solutions
Date | Solution | Event |
|---|---|---|
October 25, 2019 | Rapid7 Customer Portal | Rapid7’s customer support portal will migrate to TLS 1.2 on October 25. For more details please see Salesforce’s documentation on the TLS 1.2 change. |
November 4, 2019 | InsightVM, including on-premises Security Console and cloud features | https://insight.rapid7.com and other public cloud endpoints will start disabling TLS 1.0 and TLS 1.1. This process will complete for all products and customers by December 4, 2019. |
November 4, 2019 | Logentries | The Logentries user interface will start disabling TLS 1.0 and TLS 1.1. |
November 13, 2019 | InsightVM Console and Nexpose Console | The November 13th Security Console weekly update will contain a change to the default TLS protocols. The Security Console will only be available via TLS 1.2 once this update is applied. |
N/A | Metasploit | The Metasploit on-premises console has only supported TLS 1.2 since April 2017. |
Allow TLS 1.0 and 1.1 on InsightVM Security Console
If you are an InsightVM or Nexpose user who still needs support for TLS 1.0 or TLS 1.1 on your Security Consoles, you can enable this via a custom property. Get more details on how to configure HTTPS options.
To allow TLS 1.0/1.1 on the Security Console, follow these steps:
- Stop the Nexpose service.
- In your Security Console, go to the
[installation path]/nsc/ directory. - Find the
CustomEnvironment.propertiesfile. If this file does not exist, you must create it. The filename and extension are case sensitive. - Open the file and add the following line:
com.rapid7.nexpose.nsc.sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2. - Save the file.
- Restart the Nexpose service.