New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


What are the SSL changes in V 14.4.12 and how does that affect me?

Votes:

0

Your Vote:

Up

Down

In version 14.4.12.x. we have implemented many changes regarding SSL encrpytion. This article explains these changes and their effects.

poodle prtg ssl tls

Created on Oct 17, 2014 2:18:00 PM by  Dirk Paessler [Founder Paessler AG] (10,835) 3 4

Last change on Oct 17, 2014 2:30:25 PM by  Dirk Paessler [Founder Paessler AG] (10,835) 3 4



10 Replies

Accepted Answer

Votes:

2

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 14.4.12 or later

Quick Overview

This update contains SSL security fixes that will affect your work with PRTG. Version 14.4.12 is the most secure PRTG ever built, including a fix for the recent POODLE problem. But this tightened security has side effects. Most notably all your Enterprise Console installations on client machines will need to be updated manually. Also some SSL based sensors and notifications may be affected by substantial changes in our SSL code.

What does the world need to do?

Only less than 1% of worldwide SSL traffic is still using SSL V3, mostly old, outdated browsers, the bad-guy IE6 is the most used one of this bad bunch. Because of this 1% most websites still offered SSL v3, until now. The general recommendation is to completely discontinue offering SSL V3 on the server side. Most (well managed) websites have or will disable this protocol very quickly. IE6-ish methusalem browsers will finally be kicked out of the Internet (Hooray!)

What are we doing for PRTG?

PRTG uses SSL for various connections

  • Webserver <> Client (web-browser, Enterprise Console, mobiles, API consumers)
  • Core <> Probe (Remote Probe connections are affected, local probe is safe)
  • Core <> Core (Cluster feature)
  • Various sensors (but in most cases PRTG is the "client")

This version will also contain massive changes for the way we use SSL inside PRTG, so this will be the most secure PRTG ever made.

  • Due to POODLE we are not using SSL V3 any more
  • We are including a new SSL default certificate with 2048 bits
  • We have implemented TLS 1.2 with Forward Secrecy, and made this mandatory for all connections
  • Please see the article What security features does PRTG include? for details about elliptic curve and ciphers.

These changes will effectively lock out some really OLD browsers from the WebGUI (Android 2.3, IE6/7/8 on XP, and API access with OpenSSL 0.9.x) and break connections to the EC.

Side Effects

When you update to V 14.4.12 from any previous version of PRTG you will (or may) run into the following side effects of the tightended security:

  • Remote Probes: After PRTG has been updated all Remote Probes from all previous versions will be able to connect to the new server and download the update automatically.
  • Enterprise Console: After PRTG has been updated no Enterprise Console on client machines will be able to connect and/or download the update automatically. Please update your Enterprise Console on client machines manually!
  • Sensor types: The following sensors are affected by the changes when you use them with encryption.
    Note: When used with an HTTPS URL, the HTTP sensors below now try to connect via any accepted SSL/cipher combination, just as a web browser would do.
    • HTTP
    • HTTP Advanced (with "default" monitoring engine)
    • HTTP Content
    • HTTP Transaction
    • IMAP
    • POP3
    • SMTP
    • SMTP&IMAP Round Trip
    • SMTP&POP3 Round Trip
    • Port
    • SFTP
    • FTP
    • WBEM
  • Notification methods: The following notifications are affected by the changes when you use them with encryption.
    • SMTP (outgoing mail)
    • SMS
    • HTTP
    • Amazon SNS
  • Old browsers: After the update older browsers, for example, IE6 will not be able to access the web interface anymore (except when you set the web server to port 80 without SSL).
  • Old Android versions: After the update, anyone trying to use either the Mobile GUI, or our old and unsupported app "PRTGdroid", on Android 2.3 or lower will no longer be able to connect.
  • No downgrade: Because this update contains a tree version update it is not possible to downgrade to an earlier version of PRTG (without going back to the old configuration, which PRTG saves automatically every day in the "Configuration Auto-Backups" folder) once you have this version installed .

"Weak security" workaround

If the above mentioned approach is not feasible for your setup, we provide a switch in the webserver settings, which can be used to set the PRTG webserver to "weak security"—this will still allow SSL 3.0 with secure ciphers. Your Enterprise Consoles will then be able to connect to the new server and download the update automatically. Please use this switch only as a temporary method until you have updated your older Enterprise Consoles, and all your browsers!

Created on Oct 17, 2014 2:27:31 PM by  Dirk Paessler [Founder Paessler AG] (10,835) 3 4

Last change on Jul 29, 2016 8:36:59 AM by  Gerald Schoch [Paessler Support]



Votes:

0

Your Vote:

Up

Down

FTP sensor won't work with plain old unsecure FTP servers... There is no option "Don't use TLS" :(

Created on Oct 22, 2014 4:48:14 PM by  Vadim Doroginin (0)



Votes:

0

Your Vote:

Up

Down

Hi Vadim,

Thank you for your post!

You can still use the FTP sensor with your unsecure FTP servers. In version 14.4.12.3283/3284 (the current release), choose the option Use explicit Transport-Level Security if available and the sensor works.

In the next release we change the options for this setting to only two so it becomes clearer what to choose.

Regards,

Created on Oct 23, 2014 9:11:00 AM by  Gerald Schoch [Paessler Support]



Votes:

0

Your Vote:

Up

Down

if for some reason, I want/need to remove this patch, how can this be done?

Created on Oct 27, 2014 7:41:17 PM by  gsdunca (0)



Votes:

0

Your Vote:

Up

Down

To fully disable these changes you would need to perform a rollback of PRTG to version 14.3.11, and then actually stay on this version. This rollback will require a rollback of the configuration file though as well, because version 14.4.12 changes the configuration file, so that older versions cannot use it anymore.

Created on Oct 28, 2014 8:50:29 AM by  Torsten Lindner [Paessler Support]

Last change on Oct 29, 2014 2:16:08 PM by  Torsten Lindner [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I am looking for the "Weak Security" workaround. In the PRTG Administrator, on the Web Server tab I see a setting under Expert Configuration that says "Use SSL encryption".

Is this the setting I'm looking for?

Thanks in advance!

Created on Nov 5, 2014 8:58:19 PM by  mcsestretch (0) 1



Votes:

0

Your Vote:

Up

Down

The "Weak Security"-Settings are available under "Setup"->"System Administration"->"User Interface" in the PRTG web interface.

Created on Nov 6, 2014 8:35:00 AM by  Torsten Lindner [Paessler Support]



Votes:

0

Your Vote:

Up

Down

I just updated to Version 14.4.12.4370. How comes Port-Sensors now only work with the "Do not use Transport-Level Security"-option and what can I do to make it work again? Thanks in advance.

Regards Timo

Created on Nov 12, 2014 5:07:50 PM by  Timo Schnaible (0)



Votes:

0

Your Vote:

Up

Down

Again, just to be sure: a rollback in case of problems would consist of

a) complete Reinstallation of PRTG 14.3.11 (or whatever) followed by b) the "implementation" of the appropriate configuration file from automatic backup ?

Thanks - Roger

Created on Nov 13, 2014 3:53:34 PM by  Juerg Maeder (0) 1



Votes:

0

Your Vote:

Up

Down

You would also have to install the remote probe software on any machines that connect to that core since the remote probes and cluster probes will not be automatically downgraded.

Created on Nov 13, 2014 10:32:53 PM by  Greg Campion [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.