TLS 1.0 and 1.1 support for Insight solutions End-of-Life announcement

Beginning November 4th, 2019, Rapid7 will disable the TLS 1.0 and TLS 1.1 encryption protocols across all of our Insight Cloud products, including:

  • InsightVM, including on-premises Security Console and cloud features
  • InsightIDR
  • InsightAppSec
  • InsightOps
  • InsightConnect
  • tCell
  • Logentries

Rapid7 Will Disable TLS 1.0 and 1.1

Rapid7 will disable the TLS 1.0 and TLS 1.1 encryption protocols used for encryption-in-transit for all public Insight Cloud endpoints, including https://insight.rapid7.com/. Only TLS v1.2 will be supported.

Impact

Any inbound connections to the Rapid7 Insight Cloud Platform that rely on TLS 1.0 or TLS 1.1 will fail. Only TLS 1.2 will be supported. This includes connections from web browsers and API clients.

Recent web browsers will most likely be unaffected. TLS 1.2 is supported by every major browser released since 2014.

Impact on InsightVM Security Console API

If you use the InsightVM Security Console API, you will need to ensure that your integration supports TLS 1.2. Java 8+ and .NET 4.6+ support TLS 1.2 by default.

Things You Need to Do

For the majority of customers, no action is necessary. However, if you have older components, you may need to upgrade. Please review the next section for specific details.

Update Older Versions of InsightOps Agents

If you are an InsightOps user and you use the Insight Agent to collect logs, you need to ensure you have agent version 2.0.1.9 (1541539423) or newer installed. This version was released November 8, 2018. Starting December 4, 2019, agents older than 2.0.1.9 will no longer be able to send logs to InsightOps.

Test for Impact

To test your connection, you can connect to one of our TLS 1.2 endpoints, https://data.insight.rapid7.com. If the connection is successful you’ll see a “Success!” message. If your client does not support TLS 1.2, you’ll receive an error message from your client.

Timeline of Events for Insight Solutions

Date

Solution

Event

October 25, 2019

Rapid7 Customer Portal

Rapid7’s customer support portal will migrate to TLS 1.2 on October 25. For more details please see Salesforce’s documentation on the TLS 1.2 change.

November 4, 2019

InsightVM, including on-premises Security Console and cloud features
InsightIDR
InsightAppSec
InsightOps
InsightConnect
tCell

https://insight.rapid7.com and other public cloud endpoints will start disabling TLS 1.0 and TLS 1.1. This process will complete for all products and customers by December 4, 2019.

November 4, 2019

Logentries

The Logentries user interface will start disabling TLS 1.0 and TLS 1.1.

We are still evaluating when to disable TLS 1.0 and TLS 1.1 for our Logentries ingestion endpoints.

November 13, 2019

InsightVM Console and Nexpose Console

The November 13th Security Console weekly update will contain a change to the default TLS protocols. The Security Console will only be available via TLS 1.2 once this update is applied.

If you override the default SSL/TLS protocols via a custom environment property, you will not be impacted.

N/A

Metasploit

The Metasploit on-premises console has only supported TLS 1.2 since April 2017.

Allow TLS 1.0 and 1.1 on InsightVM Security Console

If you are an InsightVM or Nexpose user who still needs support for TLS 1.0 or TLS 1.1 on your Security Consoles, you can enable this via a custom property. Get more details on how to configure HTTPS options.

To allow TLS 1.0/1.1 on the Security Console, follow these steps:

  1. Stop the Nexpose service.
  2. In your Security Console, go to the [installation path]/nsc/ directory.
  3. Find the CustomEnvironment.properties file. If this file does not exist, you must create it. The filename and extension are case sensitive.
  4. Open the file and add the following line: com.rapid7.nexpose.nsc.sslEnabledProtocols=TLSv1,TLSv1.1,TLSv1.2.
  5. Save the file.
  6. Restart the Nexpose service.