Real People, 24/7

NetSuite's move to TLS 1.2

Avatar
Nugroho Updated

SyncApps is now fully supported by NetSuite's implementation of TLS 1.2 as per their documentation with the cipher AES CBC (such as TLS1-DHE-RSA-AES-256-CBC-SHA) which means Java 7 is able to connect to it.

https://netsuite.custhelp.com/app/answers/detail/a_id/49076

Backgrounder:

SyncApps Premier Support actively worked with NetSuite to resolve an issue to include rolling back to the most stable version of NetSuite which supports Java 7 for the SyncApps platform already running on TLS 1.2 and cipher AES CBC since last October 2017.

Incident Details:

March 16th, 2018 there was an ongoing issue with the SSL connection to NetSuite web services that causes all NetSuite integrations running on the Java 7 platform to experience a handshake failure.

Received Error from NetSuite API. Received fatal alert: handshake_failure

The same issue occurred on March 4th, 2018. NetSuite fixed the problem since this last occurrence yet it has reoccurred again today.

https://status.netsuite.com/

The root cause of the problem is that NetSuite did some changes to their server SSL configuration so all integrations to the NetSuite API which use Java 7 (like SyncApps) cannot connect to their servers. It violated their own FAQs which clearly states that TLS AES CBC crypto will still be supported.

SSL Report From SSLLabs

From the SSLLabs report (Fri, 16 Mar 2018 05:11:19 UTC), it shows that only AES GCM cryptos are enabled so all Java 7 integrations will not be able to connect to it.

https://www.ssllabs.com/ssltest/analyze.html?d=rest.netsuite.com

ssl5.png

NetSuite TLS 1.0 and 1.1 Deprecation FAQ 

It mentions that AES CBC (such as TLS1-DHE-RSA-AES-256-CBC-SHA) will still be supported which means Java 7 should still be able to connect to it.
 
 
ssl3.png
 
 
Additionally, the deprecation timing seems to be incorrect as the FAQ states that the deprecation is scheduled to be done on April 21st, 2018 and it is already being applied today.
 
 
 
NetSuite will now keep supporting the following ciphers like AES CBC (such as TLS1-DHE-RSA-AES-256-CBC-SHA) which means Java 7 will still be able to connect to it as in the SyncApps use case.
 

Important:

The target date for deprecation of TLS 1.0 and TLS 1.1 for connection to all NetSuite accounts is April 21, 2018.

What cipher suites are recommended for accessing NetSuite?

The following cipher suites are recommended:

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES256-GCM-SHA384

  • AES128-GCM-SHA256

  • AES256-GCM-SHA384

The following cipher suites are maintained for reasons of interoperability:

  • ECDHE-RSA-AES128-SHA

  • ECDHE-RSA-AES256-SHA

  • DHE-RSA-AES-128-CBC-SHA

  • DHE-RSA-AES-256-CBC-SHA

  • AES-128-CBC-SHA

  • AES-256-CBC-SHA

 
 
 
Have more questions? Submit a request

Comments

  • Avatar
    Dan Goldman

    Does SyncApps support TLS 1.2?

  • Avatar
    Dave

    Thanks, Dan and yes, SyncApps supports TLS 1.2 since last 2017 when it was announced to be the standard for NetSuite integrations.