In version 14.4.12.x. we have implemented many changes regarding SSL encrpytion. This article explains these changes and their effects.
This article applies to PRTG Network Monitor 14.4.12 or later
This update contains SSL security fixes that will affect your work with PRTG. Version 14.4.12 is the most secure PRTG ever built, including a fix for the recent POODLE problem. But this tightened security has side effects. Most notably all your Enterprise Console installations on client machines will need to be updated manually. Also some SSL based sensors and notifications may be affected by substantial changes in our SSL code.
What does the world need to do?
Only less than 1% of worldwide SSL traffic is still using SSL V3, mostly old, outdated browsers, the bad-guy IE6 is the most used one of this bad bunch. Because of this 1% most websites still offered SSL v3, until now. The general recommendation is to completely discontinue offering SSL V3 on the server side. Most (well managed) websites have or will disable this protocol very quickly. IE6-ish methusalem browsers will finally be kicked out of the Internet (Hooray!)
What are we doing for PRTG?
PRTG uses SSL for various connections
- Webserver <> Client (web-browser, Enterprise Console, mobiles, API consumers)
- Core <> Probe (Remote Probe connections are affected, local probe is safe)
- Core <> Core (Cluster feature)
- Various sensors (but in most cases PRTG is the "client")
This version will also contain massive changes for the way we use SSL inside PRTG, so this will be the most secure PRTG ever made.
- Due to POODLE we are not using SSL V3 any more
- We are including a new SSL default certificate with 2048 bits
- We have implemented TLS 1.2 with Forward Secrecy, and made this mandatory for all connections
- Please see the article What security features does PRTG include? for details about elliptic curve and ciphers.
These changes will effectively lock out some really OLD browsers from the WebGUI (Android 2.3, IE6/7/8 on XP, and API access with OpenSSL 0.9.x) and break connections to the EC.
When you update to V 14.4.12 from any previous version of PRTG you will (or may) run into the following side effects of the tightended security:
- Remote Probes: After PRTG has been updated all Remote Probes from all previous versions will be able to connect to the new server and download the update automatically.
- Enterprise Console: After PRTG has been updated no Enterprise Console on client machines will be able to connect and/or download the update automatically. Please update your Enterprise Console on client machines manually!
- Sensor types: The following sensors are affected by the changes when you use them with encryption.
Note: When used with an HTTPS URL, the HTTP sensors below now try to connect via any accepted SSL/cipher combination, just as a web browser would do.
- HTTP Advanced (with "default" monitoring engine)
- HTTP Content
- HTTP Transaction
- SMTP&IMAP Round Trip
- SMTP&POP3 Round Trip
- Notification methods: The following notifications are affected by the changes when you use them with encryption.
- SMTP (outgoing mail)
- Amazon SNS
- Old browsers: After the update older browsers, for example, IE6 will not be able to access the web interface anymore (except when you set the web server to port 80 without SSL).
- Old Android versions: After the update, anyone trying to use either the Mobile GUI, or our old and unsupported app "PRTGdroid", on Android 2.3 or lower will no longer be able to connect.
- No downgrade: Because this update contains a tree version update it is not possible to downgrade to an earlier version of PRTG (without going back to the old configuration, which PRTG saves automatically every day in the "Configuration Auto-Backups" folder) once you have this version installed .
"Weak security" workaround
If the above mentioned approach is not feasible for your setup, we provide a switch in the webserver settings, which can be used to set the PRTG webserver to "weak security"—this will still allow SSL 3.0 with secure ciphers. Your Enterprise Consoles will then be able to connect to the new server and download the update automatically. Please use this switch only as a temporary method until you have updated your older Enterprise Consoles, and all your browsers!
FTP sensor won't work with plain old unsecure FTP servers... There is no option "Don't use TLS" :(
Thank you for your post!
You can still use the FTP sensor with your unsecure FTP servers. In version 22.214.171.12483/3284 (the current release), choose the option Use explicit Transport-Level Security if available and the sensor works.
In the next release we change the options for this setting to only two so it becomes clearer what to choose.
if for some reason, I want/need to remove this patch, how can this be done?
To fully disable these changes you would need to perform a rollback of PRTG to version 14.3.11, and then actually stay on this version. This rollback will require a rollback of the configuration file though as well, because version 14.4.12 changes the configuration file, so that older versions cannot use it anymore.
I am looking for the "Weak Security" workaround. In the PRTG Administrator, on the Web Server tab I see a setting under Expert Configuration that says "Use SSL encryption".
Is this the setting I'm looking for?
Thanks in advance!
The "Weak Security"-Settings are available under "Setup"->"System Administration"->"User Interface" in the PRTG web interface.
I just updated to Version 126.96.36.19970. How comes Port-Sensors now only work with the "Do not use Transport-Level Security"-option and what can I do to make it work again? Thanks in advance.
Again, just to be sure: a rollback in case of problems would consist of
a) complete Reinstallation of PRTG 14.3.11 (or whatever) followed by b) the "implementation" of the appropriate configuration file from automatic backup ?
Thanks - Roger
You would also have to install the remote probe software on any machines that connect to that core since the remote probes and cluster probes will not be automatically downgraded.