TLS warnings from Amazon

Egil_Helland · October 2, 2023, 7:19am

Hi guys,

I got this message from AWS, which is complaining about the TLS version used in the mail handling from Backendless.

Is this something that you are aware of/will upgrade?

Subject: [ACTION REQUIRED] - Update your TLS connections to 1.2 to maintain AWS connectivity [AWS Account: 758166736907]

Hello,

We have identified TLS 1.0 or TLS 1.1 connections to AWS APIs from your account that must be updated for you to maintain AWS connectivity. Please update your client software as soon as possible to use TLS 1.2 or higher to avoid an availability impact. We recommend considering the time needed to verify your changes in a staging environment before introducing them into production.

We will begin deploying updates to the TLS configuration to a minimum of version TLS 1.2 by September 15, 2023, even if you still have connections using these versions. These deployments will complete by no later than December 31, 2023. This update removes the ability to use TLS versions 1.0 and 1.1 with all AWS APIs in all AWS Regions [1].

How can I determine the client(s) I need to update?
We have provided the connection details following this messaging to help you pinpoint your client software that is responsible for using TLS 1.0 or TLS 1.1, so you can update it accordingly. We have an AWS re:Post article that details how you can find IP addresses of SMTP Clients behind a NAT gateway [2].

For assistance in identifying your Amazon Simple Email Service (SES) To (sender) From (recipient) email addresses for your connection(s), please contact AWS Support [3] or your Technical Account Manager.

[1] https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints
[2] https://repost.aws/articles/ARevUPGDKvRyant5D1MA7yZg
[3] https://aws.amazon.com/support

Please see the following for further details on the TLS 1.0 or TLS 1.1 connections detected from your account to SES using Simple Mail Transfer Protocol (SMTP) to between August 22, 2023 and September 05, 2023. We are unable to provide UserAgent for these connections because it is part of the HTTP protocol, but is not part of SMTP connections.

Region | Event | Message ID | Source IP | TLS Version
eu-north-1 | SMTP Message|0110018a4f4e49fb-49cc9f76-14df-4e0d-9ca0-8f84f5927723-000000 | 167.99.247.231 | TLSv1 |
eu-north-1 | SMTP Message|0110018a3feb1031-8228ee64-c43e-400b-9129-b7466dce9656-000000 | 167.99.247.231 | TLSv1 |
eu-north-1 | SMTP Message|0110018a63f0bf1b-15b9eaf2-6641-4130-ab2b-89281f65fd85-000000 | 167.99.247.231 | TLSv1 |
eu-north-1 | SMTP Message|0110018a6123f90f-187c900e-01fe-4a10-bd40-13c1eb5cac9a-000000 | 167.99.247.231 | TLSv1 |
eu-north-1 | SMTP Message|0110018a4b8738da-a2ab2f0e-9aa5-46a4-81eb-bd23779c323a-000000 | 167.99.247.231 | TLSv1 |
eu-north-1 | SMTP Message|0110018a6408e35d-ddd5ff69-b92c-4e5c-b17f-66cbd67e52c1-000000 | 167.99.247.231 | TLSv1 |
eu-north-1 | SMTP Message|0110018a4ccb407a-71ea3d1e-4741-4f65-aa34-8c5f1cc980f7-000000 | 167.99.247.231 | TLSv1 |
eu-north-1 | SMTP Message|0110018a41cb9fa5-19b91abf-ccca-4542-9483-7b56b32df648-000000 | 167.99.247.231 | TLSv1 |
eu-north-1 | SMTP Message|0110018a5fb4b6ae-334b1822-d9c2-4fa6-83a4-66cca20c9b30-000000 | 167.99.247.231 | TLSv1 |
eu-north-1 | SMTP Message|0110018a50134367-23c86c53-d991-4758-864b-dd8ac165dce3-000000 | 167.99.247.231 | TLSv1 |
eu-north-1 | SMTP Message|0110018a4bfcf1c6-138d54b6-cd20-4154-9491-a1d0fad15b3b-000000 | 167.99.247.231 | TLSv1 |
eu-north-1 | SMTP Message|0110018a6418c16c-c617da2f-a8a7-4b69-93f3-3403dedec180-000000 | 167.99.247.231 | TLSv1 |


Sincerely,
Amazon Web Services

stanislaw.grin · October 2, 2023, 8:22am

Hello @Egil_Helland,

Thank you for reporting this issue.
Could you please describe how we can reproduce it?

Egil_Helland · October 2, 2023, 10:44am

I am only using the normal email setup in Backendless to send out email, but apparently this does not use TLS 1.2? So all I am doing is sending out email as normal when an account is created etc.

stanislaw.grin · October 2, 2023, 10:52am

Have you configured your own SMTP server and changed Email Settings in the Console, or you’re using default Backendless SMTP settings?

Egil_Helland · October 2, 2023, 11:15am

I am using the settings for AWS as follows:

Egil_Helland · October 2, 2023, 11:18am

And there is no problems with the settings, it is just AWS noticing that the TLS protocol used is not version 1.3.

https://www.cloudflare.com/en-gb/learning/ssl/why-use-tls-1.3/

stanislaw.grin · October 2, 2023, 11:35am

Thanks. Could you also please describe where exactly can we see these errors? We need to know how to reproduce the message you retrieved.

Egil_Helland · October 2, 2023, 12:06pm

Not sure what you are asking here Stanislaw. As long as the protocol being used is TLS<1.2, you will always get these errors/messages from Amazon, as far as I understand. The protocol update will be on your end, and should be updated to TLS 1.3 to be future proof. See the Amazon blog posts referred to in the original post for more detail (or just go here: TLS 1.2 to become the minimum TLS protocol level for all AWS API endpoints | AWS Security Blog)

stanislaw.grin · October 2, 2023, 12:16pm

Not sure what you are asking here Stanislaw.

You say that:

you will always get these errors/messages from Amazon

My question is: where will I retrieve / where can I see these errors/messages from Amazon? Is it email? Or is this something else?

I have created an internal ticket for our team, but this information would help us to quickly manage this issue.

Egil_Helland · October 2, 2023, 2:00pm

This feedback was an automated email sent from Amazon, but it is part of the SES (Simple Email Service) program. I am not that familiar with their services, so I don’t know if you can get more real time feedback than this, but it is sent out because they are going to not allow any TLS sending when the TLS handshake is not secure enough by modern standards, so basically any day now…

Egil_Helland · October 2, 2023, 2:05pm

I also see it as part of the AWS Health Dashboard:

Come to think of it - It could also be one other service we are running that are producing this, as there is no log entries after September 8 I see. So if you are running on a later version of TLS in the communication you initiate, this might be a completely non-issue!

I don’t know how to find out what you are using, so please bear that in mind when investigating further!

stanislaw.grin · October 2, 2023, 2:33pm

Thank you for the detailed information @Egil_Helland, I’ve passed this info to our engineer.

sergey.kuk · October 10, 2023, 1:19pm

hello @Egil_Helland

I have tested backendless mail service with sendgrid smtp. They have SMTP endpoint that allows only tls 1.2 or hier: tls12.smtp.sendgrid.net SendGrid Ends Support for TLS 1.0 and 1.1 | Twilio Everything works fine.

Egil_Helland · October 13, 2023, 12:27pm

I can confirm this works just fine with Backendless - I found we had one more app running another system going through the same AWS SES service, and that was the culprit… Closing this