AWS TLS 1.2 Minimum for all AWS API endpoints: Dalet Action Plan

Benjamin KAHANE
  • Updated

Action plan for TLS 1.2

In light of the announcement TLS 1.2 to become the minimum TLS protocol level for all AWS API endpoints.

 

The following products are affected:

 

Dalet Product Line Component

All Dalet Galaxy versions, including 4.0.352, 4.0.352 SP 01-11 need the update below.

4.0.352 SP 12 and up and 4.0.383 do not need any action.

 awscli from MTA (Media Transcoder Agent)
Flex not relevant
Amberfin not relevant
Pyramid not relevant
Brio not relevant
CubeNG not relevant

 

Solution

For the affected Dalet Galaxy versions listed above, due to the nature of negotiating the TLS version, you may indeed manage without any action taken. 

You can check via AWS CloudTrail Lake what TLS protocal has been negotiated: https://aws.amazon.com/blogs/mt/using-aws-cloudtrail-lake-to-identify-older-tls-connections-to-aws-service-endpoints/

 

n26ayVWA8u4LIAvvtiU97w.png

 

In case that the connection is refused and/or if you want to be on the safe side, it is recommended to do the following:

 

Download the AWS_TLS_update_Amazon.zip file from Dalet FTP: 

https://ftp.dalet.com/?u=bttQ&p=Wg4K

Do not forget to check the "I am not a robot" box and, if necessary, identify the bridges and bikes or whatever is shown. It may even take several rounds. Otherwise your login attempt will fail.

 

On all hosts running MTA instances: Stop them.

You can also go host by host, and stop before executing the following:

  • Unzip the zip.
  • Browse to the Dalet installation BIN folder. Delete the AMAZON folder.
  • Copy the AMAZON folder from the unzipped location into the BIN folder.
  • Restart MTA instance.
  • Repeat on next host.

 

Related articles

Comments

2 comments

Date Votes
  • Eyal LISS

    In addition to this process, since some of the customers are using 3rd party application and custom scripts, in order to be on the safe side I suggest to check the AWS Health Dashboard of their account, it should appear there if the customer uses TLS 1.1 or earlier.

    0
  • Jean-Christophe RIOS
    • Edited

    We should mention that Galaxy versions are using AWS SDK 1.11.x, which is not affected by this problem (see this article), so that only awscli patch is necessary.

    0

Please sign in to leave a comment.

Powered by Zendesk