On Nov. 3, 2021, Dimagi will begin applying a security upgrade at the network level restricting the TLS ciphers accepted by our production environments, starting with www.commcarehq.org. In non-technical terms this change will ensure that our servers will refuse to communicate with software that uses out of date security protocols. Specifically, we will be switching from cipher set ELBSecurityPolicy-FS-1-2-Res-2019-08 to cipher set ELBSecurityPolicy-FS-1-2-Res-2020-10 as documented here: TLS listeners for your Network Load Balancer - Elastic Load Balancing.
We do not anticipate any widespread impact to our customers from this change. However, clients connecting to the site (including API’s or backend web servers) using outdated software may experience a connection error when support for legacy ciphers is dropped. Some clients will use the phrase “handshake failure” for this type of error. Since this type of issue can be difficult to describe or identify as the source of problems we’ve created a mechanism to test your existing connections for compatibility. You can use this mechanism to test your web clients ahead of time to make sure your organization won’t be affected by this transition.
Please note that this change will only apply to Dimagi’s SaaS production infrastructure. Anyone hosting their own private instances of CommCareHQ won’t experience any changes to TLS infrastructure as a result of this change.
Testing your connection
To test your connection, point your browser or software client to https://connection-test.commcarehq.org/. If you see the simple response “✓ Connection Working”, then that client will have no issues connecting to the site after this change.
Testing your Excel Dashboard Feed connection
We have also created a special endpoint that you can use to test your connection from Microsoft Excel for Excel Dashboard Feeds. Instead of your dashboard link from commcare, use https://connection-test.commcarehq.org/excel/. If you see a table like the following appear
| Connection | Working |
|---|---|
| ✓ | ✓ |
then your Excel will have no issues connecting to the site after this change.
Remediation
Up-to-date software regularly patched for security shouldn’t have issues communicating with the site after this change, so if you experience a “handshake failure” error the most general remedy is to upgrade to the latest version of all software involved.