- Newest
- Most votes
- Most comments
RESOLVED
I installed Wireshark 4.0.7 and captured network packets using a filter defined as "tcp port 587". My results clearly indicate the protocol in use is TLSv1.2. See network analyzer summary output excerpt below (my client's IP address has been anonymized):
Number Time Source Destination Protocol Length Info
10 0.104235 999.999.999.999 ec2-3-128-55-40.us-east-2.compute.amazonaws.com TLSv1.2 290 Client Hello
11 0.131049 ec2-3-128-55-40.us-east-2.compute.amazonaws.com 999.999.999.999 TLSv1.2 144 Server Hello
...
37 0.432092 999.999.999.999 ec2-3-128-55-40.us-east-2.compute.amazonaws.com TLSv1.2 2317 Application Data
RESOLUTION DETAILS
- A few years ago, we disabled HTTP/2 at the server O/S level adding two new keys to the registry. Those keys have been removed.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters]
"EnableHttp2Tls"=dword:00000000
"EnaleHttp2Cleartext"=dword:00000000
- Per Microsoft, I configured .NET Framework to support TLS 1.2 (How to enable TLS 1.2)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
"SystemDefaultTlsVersions"=dword:00000001
- My client's .NET application are all targeting .NET Framework 4.8.
- My client's .NET applications are still using the .NET SmtpClient object for sending email messages to AWS SES. Absolutely none of my client's code was modified with regard to the SMTP implementation. I may opt to replace .NET's SmtpClient with a suitable substitute (e.g. MailKit) in the future, but I have bigger fish to fry at present.
I did a packet capture to check the TLS version. I can see I'm still sending version 1.1 despite my attempts to address the issue, so I've got work to do.
The following is the answer in Japanese, but the answer is that it cannot be confirmed by the AWS side function.
The following is the text translated into English.
AWS does not currently provide the ability to check the TLS version used when sending email using SES.
There is a field named "tlsDetails" in the CloudTrail event record.
However, SES email sending requests such as SendEmail, SendRawEmail, and email sending requests via the SMTP interface are not recorded in CloudTrail.
https://docs.aws.amazon.com/ses/latest/dg/logging-using-cloudtrail.html
So, as described in the following document ""How can I detect if I am using TLS 1.0 or TLS 1.1?"", I think the only way to identify the problem is through code and network analysis.
https://aws.amazon.com/jp/blogs/security/tls-1-2-required-for-aws-fips-endpoints/
Also, although it is not a way to check the version, perhaps the following document may be helpful.
https://docs.aws.amazon.com/sdk-for-net/v3/developer-guide/enforcing-tls.html
Thank you for the verification and detailed response. どうもありがとうございます!
Relevant content
- asked a year ago
- asked a year ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 months ago
JoSo; I very much appreciate your response. I downloaded WireShark 4.0.7 but have not yet installed it. I will be sure to post my results once I have done so. If you achieve success, please let me know the details. I will most definitely do the same. Cheers!
JoSo: See my RESOLVED post above. I hope it helps you and anyone else for that matter.