Action plan for TLS 1.2
In light of the announcement TLS 1.2 to become the minimum TLS protocol level for all AWS API endpoints.
The following products are affected:
Dalet Product Line | Component |
All Dalet Galaxy versions, including 4.0.352, 4.0.352 SP 01-11 need the update below. 4.0.352 SP 12 and up and 4.0.383 do not need any action. |
awscli from MTA (Media Transcoder Agent) |
Flex | not relevant |
Amberfin | not relevant |
Pyramid | not relevant |
Brio | not relevant |
CubeNG | not relevant |
Solution
For the affected Dalet Galaxy versions listed above, due to the nature of negotiating the TLS version, you may indeed manage without any action taken.
You can check via AWS CloudTrail Lake what TLS protocal has been negotiated: https://aws.amazon.com/blogs/mt/using-aws-cloudtrail-lake-to-identify-older-tls-connections-to-aws-service-endpoints/
In case that the connection is refused and/or if you want to be on the safe side, it is recommended to do the following:
Download the AWS_TLS_update_Amazon.zip file from Dalet FTP:
https://ftp.dalet.com/?u=bttQ&p=Wg4K
Do not forget to check the "I am not a robot" box and, if necessary, identify the bridges and bikes or whatever is shown. It may even take several rounds. Otherwise your login attempt will fail.
On all hosts running MTA instances: Stop them.
You can also go host by host, and stop before executing the following:
- Unzip the zip.
- Browse to the Dalet installation BIN folder. Delete the AMAZON folder.
- Copy the AMAZON folder from the unzipped location into the BIN folder.
- Restart MTA instance.
- Repeat on next host.
Comments
2 comments
In addition to this process, since some of the customers are using 3rd party application and custom scripts, in order to be on the safe side I suggest to check the AWS Health Dashboard of their account, it should appear there if the customer uses TLS 1.1 or earlier.
We should mention that Galaxy versions are using AWS SDK 1.11.x, which is not affected by this problem (see this article), so that only awscli patch is necessary.
Please sign in to leave a comment.