To align with security best practices, we will be disabling access to Evidence.com over Transport Layer Security (TLS) 1.0 and 1.1 in October 2018. This change will not be noticeable to most users, since they are already using clients that support TLS 1.2. If your agency is using the Evidence.com Partner API, our CAD-RMS integration, or Axon Interview, then you must verify that you support TLS 1.2 and have it enabled.
What is TLS?
TLS, or Transport Layer Security, is a protocol that secures data transmitted between two applications. It is the standard security protocol used by all major browsers and other applications that require secure data transmission.
What is changing?
Starting in October 2018, Evidence.com will refuse all connections over TLS 1.0 and 1.1. Only connections over TLS 1.2 will be accepted.
How will this impact me?
For most users this will have no impact, other than a guarantee of stronger security. If you are using the Evidence.com Partner API, our CAD-RMS integration, or Axon Interview, please see the appropriate section of this article to determine if you are impacted by this change. The Evidence.com Partner API section includes information on testing your client.
Why is this changing?
TLS 1.0 and 1.1 are outdated versions of the TLS protocol. By restricting access to TLS 1.2, we are aligning with security best practices to protect against any vulnerabilities that may arise in these outdated protocols.
What browsers are affected by this change?
No browser that is currently supported by Evidence.com is affected by the change. If you attempt to access Evidence.com using an older browser, you may receive a security error rather than our current outdated browser notice.
The following is a list of minimum browser versions for TLS 1.2 support:
- Internet Explorer 11+
- Edge, all versions
- Firefox 27+
- Chrome 38+
- Android 5.0+ (Lollipop) and some 4.4 (KitKat) clients
- Desktop Safari 7+ (OS X 10.9+)
- Mobile Safari 5+ (iOS 5+)
Will Axon's mobile applications be affected by this change?
- iOS:
- No iOS applications are affected by this change.
- Android:
- Axon View and Axon Capture have a minimum version of Android 4.4. They will be upgraded to force TLS 1.2, but will continue to support Android 4.4.
- If your agency uses the Motorola Moto G purchased directly from Axon, please be sure to update to the latest version of Axon View and Axon Capture.
- Axon Device Manager currently supports Android 4.1 or higher. The minimum version will be increased to Android 4.4 to align with View and Capture.
Will my agency's CAD-RMS Integration to Evidence.com be affected?
Yes, it is affected.
Do I really need to upgrade the version of .NET on the server running my CAD-RMS client?
In short, yes. Since 2014, the National Institute of Standards and Technology (NIST), other government standards bodies, and security best-practice frameworks have recommended moving to TLS 1.2. TLS versions before 1.2 have known weaknesses that can only be addressed by moving to TLS 1.2. To ensure our customers' data is protected, we must move to TLS 1.2 and end support for TLS 1.0 and 1.1.
It is in your agency's best interest to update your software to TLS 1.2.
What do I need to do to ensure my CAD-RMS Integration Client is updated?
To enable support for TLS 1.2, you may need to take a few steps. You will need to upgrade to version 4.6 or later of the Microsoft .NET Framework on the server running your CAD-RMS integration client.
One way to check which .NET version is currently installed on the server is to log into the server, open Internet Explorer, and navigate to http://smallestdotnet.com, which should be able to detect the installed .NET version.
Once you have updated the Microsoft .NET Framework, you will need to follow the steps below to install an updated version of the CAD-RMS client. Installing the updated client will replace your existing client. You will not need to uninstall the current version.
- Copy your PID (Partner ID), Client ID and Secret from your
integrator.exe.config
file. You can find this file in your CAD-RMS Integration Client installation folder, usually found in C:\Program Files (x86)\TASER - Download the latest version of the CAD-RMS client from here.
- Run the latest version of the client. Follow recommended steps for installation.
- When prompted for Partner ID, Client ID and Secret during installation, use the information from your configuration file that you copied in step 1.
- When prompted for Metadata Export Folder, set the folder to your existing value.
Will Axon Interview support be affected by this change?
Yes, it is affected. To enable support for TLS 1.2 and the Axon Interview software, a couple simple steps are required. Depending on your operating system, a Windows security patch may be required to add support for TLS 1.2 to the required .NET Framework. Refer to the the following Microsoft knowledge base articles and downloads for your operating system. Prior to applying, ensure your system has the latest Windows updates.
Windows 7 SP1 or Windows Server 2008 R2
Windows Server 2012
Windows 8.1 or Windows Server 2012 R2
Finally, to ensure Axon Interview leverages the updated protocol, a software patch needs to be applied to the Interview software, depending on the software revision currently being used. To determine which version of Axon Interview software you are using, access the Touch Panel or Kiosk interface and review the software version text at the bottom of the login screen.
Based on the shown software version, download one of the following files.
- Axon Interview 3.6.8
This patch only needs to be applied on your Primary and Secondary Recording servers. - Axon Interview 3.5.42
This patch only needs to be on your Touch Panel PCs.
Extract the files within the ZIP archive and right-click on ApplyPatch.bat and select Run as Administrator. Once complete, be sure to restart the updated server or PC.
If you have any questions about your version of Axon Interview or applying the patch, contact Axon Customer Support by email at cs@axon.com or by phone.
Does this affect API access to Evidence.com?
Yes, depending on your platform or library. If your API client is running on an outdated protocol, you will need to upgrade to a client that supports TLS 1.2. The following table lists common API clients and their support status. Information on testing your API client is provided after the table.
Platform or Library | Compatible | Compatibility Notes |
---|---|---|
Java (Oracle) | ||
Java 8 (1.8) and higher | Yes | |
Java 7 (1.7) | With Modifications | Enable TLS 1.2 using the https.protocols Java system property for HttpsURLConnection . To enable TLS 1.2 on non-HttpsURLConnection connections, set the enabled protocols on the created SSLSocket and SSLEngine instances within the application source code. Switching to IBM Java may be an effective workaround if upgrading isn't feasible. |
Java 6 (1.6) update 111 and higher | Yes | Requires paid support. |
Java 6 (1.6) and below (publicly available version) | No | Switching to IBM Java may be a possible workaround. |
Java (IBM) | ||
Java 8 (1.8) and higher | Yes | If your application or its libraries use SSLContext.getinstance("TLS"), you may need to use com.ibm.jsse2.overrideDefaultTLS=true. |
Java 7 and higher, Java 6.0.1 service refresh 1 (J9 VM2.6) and higher, Java 6 service refresh 10 and higher | With Modifications | TLS 1.2 can be enabled by using the https.protocols Java system property for HttpsUrlConnection and the com.ibm.jsse2.overrideDefaultProtocol Java system property for SSLSocket and SSLEngine connections (IBM documentation). You may also need to set com.ibm.jsse2.overrideDefaultTLS=true . |
.NET | ||
.NET 4.6 and higher | Yes | |
.NET 4.5 to 4.5.2 | With Modifications | Option 1: .NET applications may directly enable TLS 1.1 and TLS 1.2 in their software code by setting System.Net.ServicePointManager.SecurityProtocol to enable SecurityProtocolType.Tls12 and SecurityProtocolType.Tls11 . The following C# code is an example: System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls; Option 2: It may be possible to enable TLS 1.2 by default by setting the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: " HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 " and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 ". Although the version number in those registry keys is 4.0.30319 , the .NET 4.5, 4.5.1, and 4.5.2 frameworks also use these values. Those registry keys will enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. It is thus advisable to test this change before deploying it to your production servers. This is also available as a registry import file. These registry values will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value. |
.NET 4.0 | With Modifications | To enable TLS 1.2, it is possible to install .NET Framework 4.5, or a newer version, and set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 " and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319 ". These registry keys may enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system, so we recommend testing this change before deploying it to your production servers. This is also available as a registry import file.These registry values will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value. |
.NET 3.5 and below | No | |
Python | ||
Python 2.7.9 and higher | Yes | Compatible when running on an operating system that supports TLS 1.2. |
Python 2.7.8 and below | No | |
Ruby | ||
Ruby 2.0.0 | Yes | Compatible when linked to OpenSSL 1.0.1 or better. Use :TLSv1_2 (preferred) symbols with an SSLContext's ssl_version to help ensure that TLS 1.0 or earlier is disabled. |
Ruby 1.9.3 and below | With Modifications | It is possible to patch Ruby to add the :TLSv1_2 symbol and compile with OpenSSL 1.0.1 or higher. |
Microsoft WinINet | ||
Windows Server 2012 R2 and higher Windows 8.1 and higher |
Yes | |
Windows Server 2008 R2 to 2012 Windows 7 and 8 |
With Modifications | Compatible by default if Internet Explorer 11 is installed. Otherwise, you will need to enable TLS 1.2 in Internet Explorer to ensure compatibility. |
Windows Server 2008 and below Windows Vista and below |
No | |
Microsoft Secure Channel (Schannel) |
||
Windows Server 2012 R2 and higher Windows 8.1 and higher |
Yes | |
Windows Server 2012 Windows 8 |
With Modifications | TLS 1.2 is disabled by default, but can be enabled by an application. Or, it can be enabled by default in the registry, either manually or with a registry import file. |
Windows Server 2008 R2 Windows 7 |
With Modifications | Compatible in client mode. Otherwise, it can be enabled by default in the registry, either manually or with a registry import file. |
Windows Server 2008 and below Windows Vista and below |
No | |
Microsoft WinHTTP and Webio | ||
Windows Server 2012 R2 and higher Windows 8.1 and higher |
Yes | |
Windows Server 2008 R2 SP1 and 2012 Windows 7 SP1 |
With Modifications | Webio is compatible when KB3140245 is applied. WinHTTP can be configured for TLS 1.2 via registry settings. |
Windows Server 2008 and below Windows Vista and below |
No | |
OpenSSL | ||
OpenSSL 1.0.1 and higher | Yes | |
OpenSSL 1.0.0 and below | No | |
Mozilla NSS | ||
3.15.1 and higher | Yes | |
3.15 and below | No |
How do I test to see if I updated my API client software correctly?
First, ensure that your API client is still working correctly. Updating your client and server software to support TLS 1.2 should not affect your integration. This also ensures that any issues can be isolated to a difference in TLS.
Next, try to connect your client to an API host that requires TLS 1.2 as follows:
- Change your the API host from the current setting (most likely api.evidence.com (https://api.evidence.com/) or api.uk.evidence.com (https://api.uk.evidence.com/) ) to https://api.ca.evidence.com.
- Change your partner id, client id, and secret to new dummy values.
For example, you can use:
- Partner (agency) ID — FFCFA17B-168F-C243-534E-76893098699E
- Client ID — 465008FD-7413-4EE2-88BF-099650E51B43
- Client secret — C7GSa6XNcfLsKJNAx6aU90v24FaAOXklrgI7E03mPAU=
- Request an authorization token from the new API host using the /api/oauth2/token URI.
If you have enabled TLS 1.2 correctly, you will receive a 404 or 401 response and an error indicating that you are unauthorized or that you have invalid credentials.
If TLS 1.2 is not enabled correctly, you will receive a 502 connection rejected response.