06-23-2012 09:59 AM
06-23-2012 10:07 AM
Repost as the browser messed up formatting:
The Blackberry ID service (and website) are still using the old, insecure variant of the TLS negotiation algorithm. For details, see http://www.oracle.com/technetwork/java/javase/docu
The result is that unless "permit insecure renegotiation" is set in the BB OS 7.1 "Security Settings" -> "Advanced Security Settings" -> "TLS" menu then *BB App World* and other services requiring Blackberry ID *do not work*.
The message that you get when trying to login with BlackBerry ID when secure renegotiation is enabled is:
"Unable to connect with BlackBerry ID. Please sign in now or try again later. Data services are required for BlackBerry ID and can be turned on in the mobile network settings."
This is the same as the message in KB29118
To reproduce in Firefox:
1. Set preference "security.require_safe_negotiation" to true in about:config
2. Go to the blackberry ID website to reset password (for example): https://blackberryid.blackberry.com/bbid/recoverpa
3. Receive an error message about insecure renegotiation still in use
To reproduce on a blackberry:
1. Disable insecure renegotation in the settings
2. Open up BlackBerry ID app and try to login (getting the message above)
3. (If you are already logged in you will get a message that you can't connect with blackberry id)
What is the plan for re-enabling secure TLS negotiation? I realise there may be some device compatiblity issues with devices prior to OS 7 (which would probably not support the TLS 1.1 protocol revision from rfc5746).
Please also add a description of the problem to KB29118 as it is completely unclear as to what the real problem is.