Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® OS Smartphones

Reply
New Member
Posts: 2
Registered: ‎06-23-2012
My Device: Bold 9900
My Carrier: O2

Blackberry ID service uses insecure TLS negotiation

The Blackberry ID service (and website) are still using the old, insecure variant of the TLS negotiation algorithm. For details, see http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html (and many other sources). The result is that unless "permit insecure renegotiation" is set in the BB OS 7.1 "Security Settings" -> "Advanced Security Settings" -> "TLS" menu then *BB App World* and other services requiring Blackberry ID *do not work*. The message that you get when trying to login with BlackBerry ID when secure renegotiation is enabled is: "Unable to connect with BlackBerry ID. Please sign in now or try again later. Data services are required for BlackBerry ID and can be turned on in the mobile network settings." This is the same as the message in http://www.blackberry.com/btsc/KB29118 To reproduce in Firefox: 1. Set preference "security.require_safe_negotiation" to true in about:config 2. Go to the blackberry ID website to reset password (for example): https://blackberryid.blackberry.com/bbid/recoverpassword 3. Receive an error message about insecure renegotiation still in use To reproduce on a blackberry: 1. Disable insecure renegotation in the settings 2. Open up BlackBerry ID app and try to login (getting the message above) 3. (If you are already logged in you will get a message that you can't connect with blackberry id) What is the plan for re-enabling secure TLS negotiation? I realise there may be some device compatiblity issues with devices prior to OS 7 (which would probably not support the TLS 1.1 protocol revision from rfc5746). Please also add a description of the problem to KB29118 as it is completely unclear as to what the real problem is. Thanks, Vlad
Highlighted
New Member
Posts: 2
Registered: ‎06-23-2012
My Device: Bold 9900
My Carrier: O2

Re: Blackberry ID service uses insecure TLS negotiation

Repost as the browser messed up formatting:

 

The Blackberry ID service (and website) are still using the old, insecure variant of the TLS negotiation algorithm. For details, see http://www.oracle.com/technetwork/java/javase/documentation/tlsreadme2-176330.html (and many other sources).

The result is that unless "permit insecure renegotiation" is set in the BB OS 7.1 "Security Settings" -> "Advanced Security Settings" -> "TLS" menu then *BB App World* and other services requiring Blackberry ID *do not work*.

The message that you get when trying to login with BlackBerry ID when secure renegotiation is enabled is:

"Unable to connect with BlackBerry ID.  Please sign in now or try again later.  Data services are required for BlackBerry ID and can be turned on in the mobile network settings."

This is the same as the message in KB29118

To reproduce in Firefox:
1. Set preference "security.require_safe_negotiation" to true in about:config
2. Go to the blackberry ID website to reset password (for example): https://blackberryid.blackberry.com/bbid/recoverpassword
3. Receive an error message about insecure renegotiation still in use

To reproduce on a blackberry:
1. Disable insecure renegotation in the settings
2. Open up BlackBerry ID app and try to login (getting the message above)
3. (If you are already logged in you will get a message that you can't connect with blackberry id)

What is the plan for re-enabling secure TLS negotiation? I realise there may be some device compatiblity issues with devices prior to OS 7 (which would probably not support the TLS 1.1 protocol revision from rfc5746).

Please also add a description of the problem to KB29118 as it is completely unclear as to what the real problem is.

Thanks,
Vlad