Critical Announcement: TrackAbout End of Life for TLS 1.0 and TLS 1.1
ACTION MAY BE REQUIRED by your IT department or TrackAbout administrators or aspects of TrackAbout may stop working for you.
Please make sure to forward this message to the appropriate people.
TrackAbout intends to permanently disable the insecure TLS 1.0 and 1.1 protocols in the near future. We are providing our customers with ample time and environments to test against to ensure a smooth transition.
Key Dates
Jun-16 - Production Environment - First 24-Hour Test
We shall perform a 24-hour environment change in Production at 10:00 AM Eastern US Time.
If you have not updated your systems as explained below, your company may not be able to use TrackAbout at this time.
Jun-23 - Production Environment - Second 24-Hour Test
We shall perform a second 24-hour environment change in Production at 10:00 AM Eastern US Time.
If you have not updated your systems as explained below, your company may not be able to use TrackAbout at this time.
Jun-30 - Production Environment - Permanent Change
The Production environment permanent change shall be made at 10:00 AM Eastern US Time.
If you have not updated your systems as explained below, your company may not be able to use TrackAbout after this time.
Testing Environments
QA Environment Available To All, Effective Immediately
We have a QA environment that is already configured with TLS 1.2 only.
You may test basic TLS 1.2 connectivity against this environment.
- QA Environment Test Plan
- See TLS 1.2 QA Environment Testing.
Customer-Facing Test Environment Available to All
We have created an instance of TrackAbout in our test environment specifically for TLS testing.
We are giving all customers access to this one environment, using the same username and password.
URL: https://test.trackabout.com
Username, password and TAMobile 6 Sync Key have already been communicated in email. If you need a re-send, please request it from support@trackabout.com.
- Test Environment Test Plan
- See TLS 1.2 Test Environment Testing.
Questions and Answers
What will happen if I do not take action by the deadline?
Computers, software and devices that are not able to negotiate a TLS 1.2 connection will be unable to access TrackAbout at all.
The highest risk platforms are:
- TAMobile 6 on WinCE and Windows Mobile rugged devices
- TAMobile 6 on Windows Desktop
- ERP and other production systems that talk to TrackAbout via web services.
Near-zero risk:
- TAMobile 7 on iOS
- TAMobile 7 on Android with Android greater than 4.3
- Web browsers, provided you are up-to-date (both computer operating system and browser version)
How does this impact TAMobile 6 running on Windows CE or Windows Mobile devices?
TrackAbout will be upgrading all customers to a version of TAMobile 6 that supports TLS 1.2 automatically. Versions 6.0.316.x and greater have this support. For example, if you are on 6.0.317 or 6.0.318 you will be fine.
Shortly after you receive this message, the TrackAbout Support department will begin pushing out automatic updates for TAMobile 6. Your devices will prompt users to upgrade upon their next sync.
You may advise your users to delay the update until they are on-site.
What is the impact on TAMobile 6 Desktop, which is deployed using Click-Once technology on Windows Dekstop PCs?
In our testing, we have learned that machines running Windows 8.0 (that have not been updated to Windows 8.1) are unable to download, install or auto-upgrade TAMobile 6 Desktop after we disabled TLS 1.0 and TLS 1.1.
TAMobile 6 Desktop depends on a specific version of the Microsoft .NET Framework Runtime to be installed.
The minimum version that must be installed is .NET Framework Runtime 4.6.2.
The preferred and current version is .NET Framework Runtime 4.8 (download here).
.NET Framework 4.8 will not install on all versions of Windows, especially those that are no longer in mainstream support, like Windows 8.0. It should install on Windows 7 SP1, Windows 8.1 and Windows 10 assuming those operating systems are up-to-date on all service packs and cumulative updates.
To determine what version of Windows you are running, follow Microsoft's instructions.
Recommendation 1: If you have a Windows 8.0 PC, update it to Windows 8.1.
Recommendation 2: Make sure your Windows PC is fully up-to-date with the latest operating system Windows Updates. Unpatched Windows PCs may not have the necessary support for TLS 1.2.
Recommendation 3: All users of TAMobile 6 Desktop should install or upgrade to .NET Framework Runtime 4.8.
Recommendation 4: Finally, you must modify registry settings on your Windows PC to enable TAMobile 6 Desktop to use TLS 1.2.
These registry changes are for Windows Desktop PCs ONLY, not for rugged handhelds.
These registry changes instruct .NET applications running on .NET Framework versions 2.0 and 4.0 to use TLS 1.2.
You can modify the registry either directly on the installed PCs, or via Group Policy.
As always, when making registry changes, back up the sections being modified so you may restore if things go wrong.
Always test changes in a non-production environment.
To modify PCs manually, save the following text to a file named tls-upgrade.reg (or anything-you-want.reg) and copy it to each PC where you run TAMobile 6 Desktop. Double-click the .reg file (requires administrator elevation) and accept the changes.
These changes can also be deployed using Active Directory Group Policy.
Reboot is not necessary following this registry change. Merely restart TAMobile 6 Desktop.
In case you need to roll back these changes (in the event they interfere with other installed applications), you may delete these four keys from the registry.
tls-upgrade.reg for Windows Desktop PCs ONLY
To create the registry keys, the following text can be placed in a .reg file and executed on a Windows computer using Administrator privileges.
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319] "SystemDefaultTlsVersions"=dword:00000001 "SchUseStrongCrypto"=dword:00000001
tls-upgrade.ps1 for Windows Desktop PCs ONLY
As an alternative to the .reg script, the following PowerShell script can be placed in a .ps1 file and executed on a Windows computer using Administrator privileges.
New-ItemProperty -Path HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727 -Name SchUseStrongCrypto -PropertyType DWord -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727 -Name SystemDefaultTlsVersions -PropertyType DWord -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319 -Name SchUseStrongCrypto -PropertyType DWord -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319 -Name SystemDefaultTlsVersions -PropertyType DWord -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 -Name SystemDefaultTlsVersions -PropertyType DWord -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 -Name SchUseStrongCrypto -PropertyType DWord -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 -Name SchUseStrongCrypto -PropertyType DWord -Value 1
New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 -Name SystemDefaultTlsVersions -PropertyType DWord -Value 1
tls-downgrade.ps1 for Windows Desktop PCs ONLY
To remove the registry keys, the following PowerShell script can be placed in a .ps1 file and executed on a Windows computer using Administrator privileges.
Remove-ItemProperty -Path HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727 -Name SchUseStrongCrypto
Remove-ItemProperty -Path HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727 -Name SystemDefaultTlsVersions
Remove-ItemProperty -Path HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319 -Name SchUseStrongCrypto
Remove-ItemProperty -Path HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319 -Name SystemDefaultTlsVersions
Remove-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 -Name SystemDefaultTlsVersions
Remove-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 -Name SchUseStrongCrypto
Remove-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 -Name SchUseStrongCrypto
Remove-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 -Name SystemDefaultTlsVersions
Get-TlsSettings.ps1 for Windows Desktop PCs ONLY
Get-ItemProperty -Path HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727 -Name SchUseStrongCrypto
Get-ItemProperty -Path HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727 -Name SystemDefaultTlsVersions
Get-ItemProperty -Path HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319 -Name SchUseStrongCrypto
Get-ItemProperty -Path HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319 -Name SystemDefaultTlsVersions
Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 -Name SystemDefaultTlsVersions
Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\.NETFramework\v2.0.50727 -Name SchUseStrongCrypto
Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 -Name SchUseStrongCrypto
Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 -Name SystemDefaultTlsVersions
What is the impact on my ERP (or other) system that connects to TrackAbout via web services or REST API endpoints?
All systems connecting to TrackAbout must be updated such that the operating systems and client libraries involved in web service communication support TLS 1.2.
Some of our customers have had success using Stunnel as a middle-man in the connection between old systems and TrackAbout. Stunnel is available on all operating systems.
The following stunnel.conf has worked for these customers
debug = 7 output = /apps/stunnel/5.35/log/stunnel-trackabout.log fips = no sslVersion = TLSv1.2 [trackabout-prod] client = yes accept = 127.0.0.1:8080 connect = www.trackabout.com:443 sni = www.trackabout.com ; Set TIMEOUTclose when running on Windows only TIMEOUTclose = 0 [trackabout-test] client = yes accept = 127.0.0.1:8081 connect = test.trackabout.com:443 sni = test.trackabout.com ; Set TIMEOUTclose when running on Windows only TIMEOUTclose = 0
Using this stunnel configuration, you must change the connecting client to talk to TrackAbout Production using 127.0.0.1:8080 and TrackAbout Test on 127.0.0.1:8081.
How can I tell if my web browser supports TLS 1.2?
If you are using a modern web browser such as Microsoft Edge, IE11, Chrome, Firefox or Safari and keeping up with updates, you will be fine. You may test your browser using the SSL Labs browser test here: https://www.ssllabs.com/ssltest/viewMyClient.html Confirm that there is a "Yes" next to TLS 1.2 in the "Protocol Features" section.
The following systems are known to be unable to use TLS 1.2. Update these to ensure uninterrupted access to the service.
- Android 4.3 and earlier versions
- Firefox version 5.0 and earlier versions
- Internet Explorer 8-10 on Windows 7 and earlier versions
- Safari 6.0.4/OS X10.8.4 and earlier versions
What is the impact on TAMobile 7 on iOS and Android?
We anticipate no impact. These modern devices will not be impacted by the change, provided you are running on a supported version of the Android or iOS operating system. See our Version Support Policy for iOS and our Version Support Policy for Android.
What is TLS and what does it have to do with TrackAbout?
Whenever your browser or smartphone app connects to a web site using the "https://" prefix instead of "http://", you are using Transport Layer Security. It provides the encryption that protects your data. A very old version of this was called "SSL". SSL is no longer in use.
All data transfer to and from TrackAbout uses HTTPS and TLS encryption.
Why are you disabling TLS 1.0 and 1.1?
To keep our customers' data safe, we are following modern industry security practices and removing support for very old versions of TLS
TLS 1.0 and 1.1 are 21 and 14 years old, respectively. They are out-of-date protocols that do not support modern cryptographic algorithms, and they contain security vulnerabilities that may be exploited by attackers. The Internet Engineering Task Force is planning to officially deprecate both protocols. In addition, the vast majority of encrypted Internet traffic is now over TLS 1.2, which was introduced over a decade ago.
Why now?
The software industry is working to remove support for TLS 1.0 and 1.1 in this time-frame. Google, Microsoft, Apple, and Mozilla have all announced that their browsers will no longer support TLS 1.0 and 1.1 as of March 2020. As of June 2020, Office 365 will begin disabling TLS 1.0 and 1.1.
Windows CE and Windows Mobile devices are unsupported. What can we do?
Windows CE and Windows Mobile rugged handheld operating systems are discontinued and no longer supported by Microsoft. They are not receiving any more operating system updates.
The root certificates on these devices are no longer being updated, and therefore these devices will fail to be able to connect to systems with newer certificates.
TrackAbout understands our customers wish to continue using Windows CE and Windows Mobile devices for as long as possible to maximize their investment. We all recognize that Microsoft no longer supports these operating systems.
As a result, TrackAbout is actively working to migrate all customers to TAMobile 7 on Android and iOS as quickly as possible.
Over a year ago, anticipating these problems, TrackAbout integrated a commercial third-party component into TAMobile 6 that replaces the network security layer. It adds support for TLS 1.2 and more modern encryption ciphers. We have had customers testing it for months.
We have also adjusted security policy within the TAMobile 6 application to continue enabling the validation of certificates using a method called "certificate pinning". This is a method whereby TAMobile 6 knows the certificates expected to be sent from the server, and knows to trust them. While this will allow our customers to limp along on unsupported hardware a little longer, the correct move is to adopt TAMobile 7 on Android and iOS devices.
TrackAbout is continually adding features to TAMobile 7 to achieve feature parity with TAMobile 6. You should explore whether your company can migrate to TAMobile 7 today. Please contact support@trackabout.com to request a consultation.