TLS version compatibility
Introduction
The Harmony platform supports Transport Layer Security (TLS) 1.3 and 1.2 encryption. Jitterbit provides limited backward compatibility with TLS 1.1 and TLS 1.0 for certain connections with endpoints that require an older protocol version.
We recommend using TLS 1.3 with your endpoints where possible to avoid security vulnerabilities. In addition, using TLS 1.3 may be required in order to meet requirements for some endpoints.
Tip
For additional details on how Jitterbit manages information security, see the Jitterbit security and architecture white paper.
TLS support in Jitterbit Harmony
TLS 1.2 is supported by all currently supported Jitterbit versions.
If you have an older version of one of the applications listed below, you may need to upgrade the version in order to use TLS 1.3. See upgrade instructions:
- Private agents: Windows, Linux, or Docker
- Private API gateways: Linux or Docker
- Design Studio: Windows or macOS
- Data Loader
Support for legacy (unsafe) renegotiation
Older versions of TLS (prior to RFC 5746) had a vulnerability where an attacker could inject arbitrary data into a renegotiation handshake, leading to potential man-in-the-middle (MITM) attacks.
The TLS renegotiation vulnerability (CVE-2009-3555) affects the following versions of SSL/TLS:
| Vulnerable versions |
|---|
| SSL 3.0 |
| TLS 1.0 |
| TLS 1.1 |
| TLS 1.2 (if not patched with RFC 5746) |
This vulnerability does not affect the following secure versions, supported by Jitterbit Harmony:
| Secure versions |
|---|
| TLS 1.2 (with RFC 5746 support) |
| TLS 1.3 |
If you are connecting to an endpoint that allows or supports legacy (unsafe) renegotiation with a TLS connection, selecting the TLS version may be available as a configuration option in the UI of the specific connector you are using. For example, an Integration Studio HTTP v2 connection provides a UI selection in its configuration.
If using a private agent, the following options are configurable to enable the use of older protocols:
- A private agent version 11.39 or later can be configured to allow unsafe legacy TLS renegotiation during the connection handshake with the server by setting
AllowUnsafeLegacyRenegotiationtotruein the[Settings]section of the private agentjitterbit.confconfiguration file. - A private agent can be configured to use TLS 1.0 or 1.1 for JDBC driver connections for database endpoints by removing
TLSv1orTLSv1.1from thejdk.tls.disableAlgorithmssecurity property in the private agentjava.securityconfiguration file.
On private API gateways, TLS 1.1 can be configured to be allowed by contacting Jitterbit support.