- Article
A cipher suite is a set of cryptographic algorithms. This is used to encrypt messages between clients/servers and other servers. Dataverse is using the latest TLS 1.2 cipher suites as approved by Microsoft Crypto Board.
Before a secure connection is established, the protocol and cipher are negotiated between server and client based on availability on both sides.
You can use your on-premises/local servers to integrate with the following Dataverse services:
- Syncing emails from your Exchange server.
- Running Outbound plug-ins.
- Running native/local clients to access your environments.
To comply with our security policy for a secure connection, your server must have the following:
Transport Layer Security (TLS) 1.2 compliance
At least one of the following ciphers:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384See AlsoHow to Fix ERR_SSL_VERSION_OR_CIPHER_MISMATCH {Easy Way}18.9. Network SecurityThe remote service supports the use of the RC4 cipher.What is RC4 Encryption? (Working, Usage, Advantages & Disadvantages)Important
Older TLS 1.0 & 1.1 and cipher suites, (for example TLS_RSA) have been deprecated; see the announcement.Your servers must have the above security protocol to continue running the Dataverse services.
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 may show up as weak when you performed a SSL report test. This is due to known attacks toward OpenSSL implementation. Dataverse uses Windows implementation that is not based on OpenSSL and therefore is not vulnerable.
You may either upgrade the Windows version or update the Windows TLS registry to make sure that your server endpoint supports one of these ciphers.
To verify that your server complies with the security protocol, you can perform a test using a TLS cipher and scanner tool:
The following Root CA Certificates installed. Install only those that correspond to your cloud environment.
For Public/PROD
Certificate Authority Expiry date Serial Number/Thumbprint Download DigiCert Global Root G2 Jan 15 2038 0x033af1e6a711a9a0bb2864b11d09fae5
DF3C24F9BFD666761B268073FE06D1CC8D4F82A4PEM DigiCert Global Root G3 Jan 15, 2038 0x055556bcf25ea43535c3a40fd5ab4572
7E04DE896A3E666D00E687D33FFAD93BE83D349EPEM Microsoft ECC Root Certificate Authority 2017 Jul 18, 2042 0x66f23daf87de8bb14aea0c573101c2ec
999A64C37FF47D9FAB95F14769891460EEC4C3C5PEM Microsoft RSA Root Certificate Authority 2017 Jul 18, 2042 0x1ed397095fd8b4b347701eaabe7f45b3
3A5E64A3BFF8316FF0EDCCC618A906E4EAE4D74PEM For Fairfax/Arlington/US Gov Cloud
Certificate Authority Expiry date Serial Number/Thumbprint Download DigiCert Global Root CA Nov 10, 2031 0x083be056904246b1a1756ac95991c74a
A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436PEM DigiCert SHA2 Secure Server CA Sep 22, 2030 0x02742eaa17ca8e21c717bb1ffcfd0ca0
626D44E704D1CEABE3BF0D53397464AC8080142CPEM DigiCert TLS Hybrid ECC SHA384 2020 CA1 Sep 22, 2030 0x0a275fe704d6eecb23d5cd5b4b1a4e04
51E39A8BDB08878C52D6186588A0FA266A69CF28PEM For Mooncake/Gallatin/China Gov Cloud
Certificate Authority Expiry date Serial Number/Thumbprint Download DigiCert Global Root CA Nov 10, 2031 0x083be056904246b1a1756ac95991c74a
A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436PEM DigiCert Basic RSA CN CA G2 Mar 4, 2030 0x02f7e1f982bad009aff47dc95741b2f6
4D1FA5D1FB1AC3917C08E43F65015E6AEA571179PEM Why is this need?
See TLS 1.2 Standards Documentation - Section 7.4.2 - certificate-list.
Why do Dataverse SSL/TLS certificates use wildcard domains?
Wildcard SSL/TLS certificates are by design since hundreds of organization URLs must be accessible from each host server. SSL/TLS certificates with hundreds of Subject Alternate Names (SANs) have a negative impact on some web clients and browsers. This is an infrastructure constraint based on the nature of a software as a service (SAAS) offering, which hosts multiple customer organizations on a set of shared infrastructure.
See also
Connect to Exchange Server (on-premises)
Dynamics 365 Server-side sync
Exchange server TLS guidance
Cipher Suites in TLS/SSL (Schannel SSP)
Manage Transport Layer Security (TLS)
How to enable TLS 1.2
As a cybersecurity expert with extensive knowledge in cryptographic algorithms and secure communication protocols, I can confidently provide insights into the concepts discussed in the provided article.
Cipher Suites: A cipher suite is a combination of cryptographic algorithms used to secure communication between clients and servers. In the context of the article, Dataverse employs the latest TLS 1.2 cipher suites approved by the Microsoft Crypto Board. These cipher suites play a crucial role in encrypting messages exchanged between servers and clients.
TLS (Transport Layer Security) 1.2: TLS is a protocol that ensures privacy between communicating applications and users on the internet. The article emphasizes the importance of TLS 1.2 compliance for a secure connection. TLS 1.2 is the latest version at the time of the article and is considered more secure than older versions.
Cipher Negotiation: Before establishing a secure connection, the server and client negotiate the protocol and cipher based on availability on both sides. This negotiation process ensures that both parties agree on a set of cryptographic algorithms for secure communication.
Security Policy Requirements: To comply with the security policy for a secure connection with Dataverse services, servers must have TLS 1.2 compliance and support at least one of the specified cipher suites. Older TLS 1.0 and 1.1, as well as deprecated cipher suites like TLS_RSA, are no longer supported.
Cipher Suite Selection: The article lists specific cipher suites that servers must support, including examples like TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384. This selection is critical for maintaining a secure connection.
Vulnerability Considerations: The article addresses concerns about the perceived weakness of certain cipher suites, such as TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384. It clarifies that any weakness observed in SSL reports is due to known attacks towards OpenSSL implementation, and Dataverse uses a Windows implementation that is not vulnerable.
Security Testing: To verify server compliance with the security protocol, the article suggests performing tests using TLS cipher and scanner tools like SSLLABS or NMAP. These tools help assess the security posture of the server and ensure it meets the specified requirements.
Root CA Certificates: The article provides a list of Root CA (Certificate Authority) Certificates that need to be installed based on the cloud environment. This ensures the authenticity of the certificates used in the secure communication process.
Wildcard SSL/TLS Certificates: The article explains the use of wildcard SSL/TLS certificates in Dataverse. These certificates are designed to accommodate multiple organization URLs on a host server without negatively impacting web clients and browsers.
Documentation Reference: The need for the specified security measures is justified by referencing TLS 1.2 Standards Documentation, particularly Section 7.4.2, which likely provides detailed information on certificate lists and their significance.
In conclusion, the article provides a comprehensive overview of the cryptographic and security measures implemented by Dataverse to ensure secure communication, detailing the required protocols, cipher suites, and additional considerations for maintaining a robust security posture.
