1358 - Redstor Platform secure ciphers - support for operating systems

The Redstor Storage Platform uses secure ciphers for TLS communications for data protection and management, and also for management purposes to ensure that customer data security is maintained.

The exact details of currently supported ciphers can be found here. The ciphers are selected based on current security standards, and are periodically updated.

Cipher support for our agents is built into the agent software, so is independent of direct communications built into the operating system. Even if the operating system does not support the ciphers directly, the agent will be be able to function (backup and restore).

The ciphers listed are supported on the current Redstor ESE, SE and cloud agents.

Note: Not all operating systems currently supported by the manufacturer are able to support these ciphers to their full extent.

Windows 2012 R2 and earlier, and also Windows 8.1 and earlier, whilst still supported by Microsoft under Extended Support at the time of writing, do not support the full range of secure ciphers in their .NET implementations, which are built into the operating system.

The ciphers TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 are considered secure where they use a sufficient number of bits, but weak where they do not.

The implementation in Windows 2016 and higher for these ciphers uses sufficient bits for the connection to be secure, whilst 2012 R2 does not.

Although Redstor's testing ahead of the cipher policy change showed that it was possible for Windows 2012 R2 and Windows 8.1 to successfully connect to the Redstor Platform, there is no guarantee that they will be able to do so under all circumstances (e.g. unable to use sufficient bits to establish a secure connection).

For older operating systems such as Windows 2012 and Windows 2008 R2, these are less likely to be able to use .NET to connect by default.

.NET is used by web browsers, PowerShell, InstantData and the Storage Platform Console, and as such these tools may be affected if a secure connection cannot be established.

As a workaround, you may be able to implement the secure cipher policy to match the Redstor Platform as found here. It is recommended to ensure that the server is running on the latest .NET version when applying the policy, and doing so may allow the client to connect successfully.

It is, however, important to note the consequences of making this change.

The cipher policy applies to both client and server secure .NET TCP connections, and based on Redstor's testing, is believed to be implemented asymmetrically by Microsoft - the ciphers may be implemented and allowed for client connections, but unavailable for use by server connections on the older operating system. If the operating system does not have any ciphers that it can use for secure .NET server connections (or none that are compatible with peer client ciphers), the user can expect to see a negative impact as secure connections to it will fail.

Redstor cannot be held not responsible for any unexpected consequences to other applications and services (e.g. secure web server, secure Remote Desktop Connection) if the cipher suite is updated. You are strongly advised to confirm that applications and services continue to work as expected.

For product lifecycle reasons, it is almost always preferable to update the operating system to a version that the manufacturer fully supports, thus avoiding the scenario described above. Windows product lifecycle and support details can be found here.

Tools such as Python, Java, cURL and other third party tools that do not use Windows .NET will not be affected by the cipher policy on the machine (whether default or specifically applied), and will be unaffected by changes made to this.

If you are unsure about the above information or if you are experiencing connectivity issues related to ciphers, please contact Redstor Support using support@redstor.com.