Please make sure that your XELOS system is configured correctly.
TLS 1.2 since January 2020
As of January 2020, TLS 1.0 and TLS 1.1 encryption is no longer supported and it is strongly recommended to secure communication via SSL TLS 1.2.
This change will be enforced from March onwards by many manufacturers through warnings and patches to users and administrators. We have summarized the effects and necessary changes for XELOS systems in this article.
Warnings and error messages from March 2020
Browser
All current browsers will allow communication only via TLS1.2 (or higher) in the coming updates and block other connections.
- Firefox 74 (rollout starting March 10th) will show an error message "SSL_ERROR_UNSUPPORTED_VERSION" if the server cannot communicate via TLS 1.2 or higher.
- Chrome 81 (rollout from March 17th) will block pages about TLS 1 and TLS 1.1
- Safari (rollout March) completely discontinues support for communication on older versions
- IE Edge 82 (rollout April) will probably block pages completely
- Internet Explorer (1st half of 2020) will also discontinue support
Active Directory
Upcoming patches (March 2020) from Microsoft for the Active Directory will in future only support LDAPS over TLS for LDAP connections.
If you use XELOS with the authentication method Active Directory and/or Active Directory synchronization and use the LDAP protocol (without SSL), it will no longer be possible to log in to XELOS.
WebDAV drive
Please make sure that Windows clients are not outdated and especially that KB3140245 and KB3076949 are installed. (Windows 10 should not be affected)
XELOS Office Integration (XOI)
If you are using an older version of the XELOS Office Integration, please upgrade to the latest version for TLS 1.2 support.
Is your XELOS installation affected?
All XELOS configurations normally support TLS 1.2, so a complete failure after a browser update is very unlikely. However, the possibility to communicate on TLS 1.0/1.1 should also be switched off.
Check your SSL settings e.g. with the Qualys SSL Test - if you get an A+ rating your connection is configured according to the current best practice:
Otherwise check the warnings / notes:
Main steps for updating
XELOS as a Docker Container (standard since the end of 2018)
Update the XELOS Docker Container using the standard update procedure (run in the Docker configuration directory [ /server/docker/xelos]):
docker-compose pull
docker-compose up -d
Other XELOS installation (installation before 2018)
Update the NGINX configuration and change the entry "ssl_protocols" in /etc/nginx/conf.d/xelos.conf to TLSv1.2:
ssl_protocols TLSv1.2;
Update Active Directory Auth / Sync
Enable SSL/TLS for communication from XELOS to Active Directory If the TLS root certificate of the Active Directory is not known, the option "Ignore TLS certificate" must also be checked so that the connection works without errors. (Spät ab XELOS 8.2.2)