SSL et TLS sont deux protocoles de cryptographie qui permettant l’authentification et le chiffrement des données qui transitent entre des serveurs, des machines et des applications en réseau (notamment lorsqu’un client se connecte en "https" à un serveur Web). Le SSL est le prédécesseur du TLS. Au fil du temps, de nouvelles versions de ces protocoles ont vu le jour pour faire face aux vulnérabilités et prendre en charge des suites et des algorithmes de chiffrement toujours plus forts, toujours plus sécurisés. Depuis la découverte de la vulnérabilité POODLE en 2014, la version 3 de SSL en tant que protocole de sécurité a été remise en cause et Esri a fait évoluer son support à la fois de SSL et de TSL pour garantir le choix des meilleures options de sécurité pour le déploiement de la plateforme ArcGIS dans votre organisation. Aujourd'hui, en 2018, les organismes de réglementation et de validation de conformité tels que la NIST, PCI ou FedRAMP ont déprécié le standard TLS 1.0 et, après un usage peu répandu du TLS 1.1, c'est désormais le protocole TLS 1.2 qui est la recommandation en vigueur. Une version 1.3 des spécifications de TSL a été validé en août 2018 mais son implémentation par les principales plateformes de Cloud (et par ArcGIS Online) est encore prématurée.
Pour s'aligner aux bonnes pratiques des plateformes informatiques de type Cloud et pour offrir le niveau de sécurité optimum à ses utilisateurs, Esri a décidé de mettre à jour le protocole d'accès sécurisé d'ArcGIS Online et de passer prochainement en TLS 1.2. Cette évolution se fera dans la mise à jour de décembre 2018 (prévue dans la nuit du 4-5 décembre).
release in order to align with industry best practices for security and data integrity.
Action is required prior to this date to prevent any disruption to your production
instance. Be sure to transition your environment to support TLS 1.2 and higher as
soon as possible by reviewing the below material. General TLS/SSL architecture
guidance for our products is provided later in this document. This document is
updated as new information becomes available.
What is TLS and the impact of deprecating versions 1.0 & 1.1
TLS stands for “Transport Layer Security.” It is a protocol that provides privacy and
data integrity between two communicating applications. It’s the most widely
deployed security protocol used today and is used for web browsers and other
applications that require data to be securely exchanged over a network. TLS ensures
that a connection to a remote endpoint is the intended endpoint through encryption
and endpoint identity verification. The versions of TLS, to date, are TLS 1.0, 1.1, 1.2,
and 1.3. The spec for TLS 1.3 was approved August 2018 and is therefore not
available yet from most cloud infrastructure providers nor Esri’s Online services.
The ArcGIS platform web and API connections use TLS as a key component of their
security. HTTPS (web) uses TLS as a key component of its security. After ArcGIS
Online upgrades to TLS 1.2 only any inbound or outbound connections from your
ArcGIS Online organization that rely on either TLS 1.0 or 1.1 will fail. The action
required by your organization will depend on which clients and their versions are
used to access your ArcGIS Online org as described below.
Clients Requiring Update/Fixes to Support TLS 1.2
Esri Products
• ArcGIS Desktop – 10.6 and earlier (patch or registry entry needed)
• ArcScene, ArcCatalog – 10.6.1 and earlier (registry entry needed)
• Portal for ArcGIS – 10.3.1 and below (upgrade to newer version)
• Operations Dashboard Windows App- (registry entry needed)
• See the Resolution Details section below for details if applicable
3 | P a g e
Other Clients
Old Browsers
• Firefox version 5.0 and earlier versions
• Internet Explorer 8-10 on Windows 7 and earlier versions
• Internet Explorer 10 on Win Phone 8.0
• Safari 6.0.4/OS X10.8.4 and earlier versions
Old Mobile Devices
• Android 4.3 and earlier versions
• ArcPad using Mobile/CE 6.5 and earlier (CE v.7 patch for TLS 1.2 )
Custom/3rd Party Scripts/Tools using Old Frameworks or old OS
• Oracle Java 1.6 and earlier versions
• .NET 3.5 and earlier versions
• Python 2.7.8 and earlier versions
• OpenSSL 1.0.0 and earlier versions
• Windows 2008 / Vista and earlier versions
• Additional details may be found in the API Integration section of this doc
Resolution Details for Esri Products with known TLS 1.2 Issues
ArcGIS Desktop-based Clients
Using the Add Data button to add data from ArcGIS Online or from Portal for ArcGIS
fails with an error by default for versions 10.6 and earlier (Add Data and Search
function correctly in ArcMap version 10.6.1 and later, but for ArcCatalog and
ArcScene Portal/ArcGIS Online organization search do not). These tools contain
components built with the Microsoft .Net Framework. Prior to ArcGIS 10.6.1, this
tool was built to target the highest TLS version .Net supported at the time the
product was released. The below steps will address TLS issues with ArcGIS
Desktop, ArcScene, and ArcCatalog.
The error may read:
4 | P a g e
Guidance to address TLS issues with ArcGIS Desktop
Step 1 – OS Patch
If your organization is attempting to run an older version of Desktop on older
Windows operating system builds you will need to first install a patch from
Microsoft to allow support of TLS 1.2.
• Windows 7 or Windows 2008 R2 Users - Install this patch
• Windows 2012 Users - Install this patch
If your system already has an appropriate patch or newer .NET version in
place, you may receive a prompt indicating the update is not applicable,
which is fine, proceed to the next step.
Step 2 – Add Windows Registry Entry
a. ArcGIS Desktop 10.4 – 10.6 users - Click here to download , copy and
paste the text into notepad, save the file as ArcMapPost104TLS.reg
and then double-click the file to Run and deploy
b. ArcGIS Desktop 10.2 – 10.3.x users – Click here to download , copy
and paste the text into notepad, save the file as ArcMapPre104TLS.reg
and then double-click the file to Run and deploy
c. Start ArcMap and test.
Notes for Desktop TLS Registry Fix:
1. Older clients - ArcGIS Desktop 10.0 – 10.1 can likely follow the same steps
as for 10.2-10.3 used, but upgrading the client is strongly recommended.
2. Fallback option - The registry entries above enable TLS 1.2 as a default for
all applications utilizing the relevant .NET version – This is a desired state for
most organizations, but if there are any issues, the user can just remove the
registry entries.
3. Large deployments - If your organization has a large number of Desktop
systems and utilizes Active Directory, the registry entries can be centrally
deployed in less than 10 minutes by following the steps here.
5 | P a g e
ArcGIS Enterprise 10.3.1 and below Known Issues
Some operations in Portal for ArcGIS require Portal to act as a client, by consuming
resources provided by an application server like ArcGIS Online.
As mentioned previously, in December 2018, ArcGIS Online is moving toward a
pure TLS 1.2 environment. When this occurs, Portal for ArcGIS version 10.3.1 and
below will be unable to consume some resources provided by ArcGIS Online.
• Utility services will be affected because Portal will send credentials to ArcGIS
Online over https only.
• Print services may be affected. Typically, Portal for ArcGIS uses the
Federated ArcGIS Hosting Server's print service (or a print service hosted on
a stand alone ArcGIS Server). However, if the Portal does not reference an
external print service, then Portal will use its own built-in print that will be
affected in Portal 10.3.1 and prior. User’s who are using the hosting server's
print service will not be affected.
• Stand-alone ArcGIS Servers will be unable to share newly published services
to ArcGIS Online through ArcGIS Server Manager in 10.3.1 and prior.
• ArcGIS Online utility services registered with the Portal with saved
credentials, potentially including Esri provided locator services, routing
services, print tasks, and geometry services, and other ArcGIS Online hosted
web services that have been added as items to the Portal and include saved
credentials will be impacted.
Python
• All versions of Python included with the ArcGIS Platform since 10.0 support
TLS.