dougmai
(Doug313)
1
I am looking to enable TLS 1.2 for Spiceworks version 7.4.00059. A SSL scan shows that TLS 1.0 is the only enabled protocol. SSL 3 is disabled, which is good, but I am looking to be able to use TLS 1.2 instead. The registry entries under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\ are set correctly for this. Does anyone know if TLS 1.2 is supported with this version, or what must be done to enable it?
7 Spice ups
I dont think it can be enabled. There is an option to enable TLS in the email settings page under additional settings, but i dont know if its 1.2. You may want to email support@spiceworks.com
1 Spice up
Hey Dou313 & Marosalas,
Nope, I have been tracking this for a while (since before Heartbleed) and we just updated to SW ver. 7.4.00060 tonight (27.05.2015) and the OpenSSL version used on the latest non-BETA has been updated but only to 0.9.8zc, which still only supports TLS 1.0.
There must be a OpenSSL issue with implementing a newer Branch (i.e. 1.0+) in Spiceworks, would be great if the SW team could elaborate on this?? Also don’t update OpenSSL to a newer branch as it bins SW (tried that before Heartbleed).
Here is a SW post around better PKI Security / new OpenSSL branches and the challenges;
Adding TLS 1.1 and 1.2 to httpd.conf (Oct 17, 2014)
Any further info would be awesome, i.e. when TLS 1.1 / 1.2 will be coming to SW.
Thanks, Alex.
2 Spice ups
Here is another post where SW Team Member Ben B. responded;
Spiceworks patch to fix OpenSSL vulnerability?
dougmai
(Doug313)
5
Thanks marcosalas and Alex for the replies. Hopefully this will be supported soon.
Any word on when this will be added? I have to remove Spiceworks from my outside access because I’m now failing my PCI compliance scans. Now I can’t use the mobile app when I’m away from my desk. 
1 Spice up
Bump for this…I would really like the peace of mind this provides. Does any one have any information as to release or time estimates on this?
2 Spice ups
Wondering about this as well. This may prevent us from exposing the ticket portal and mobile app outside our LAN.
1 Spice up
I’m surprised that this isn’t enabled yet as well. This isn’t going to fly for my PCI scanning, so I guess that’ll get disabled for now
2 Spice ups
dougmai
(Doug313)
10
PCI compliance is what prompted this question for me. We have had to restrict Spiceworks to the internal network only until TLS 1.2 is supported.
3 Spice ups
I have been lucky in this regard but I still don’t like the idea of having my system hanging out and collecting a C rating at best on Qualys’ SSL tools. Are there ANY ideas of a roadmap on implementing TLS 1.2?
Do any known workarounds or hacks exist to implement a newer version of OpenSSL?
I know a limited amount about SSL and OpenSSL but I had to install it onto my server to generate my CSR and wondered if there was a way that it could somehow manage the connections into Spiceworks? Or would this completely break the Spiceworks application because of the version of OpenSSL that the Spiceworks application is built around?
1 Spice up
Easiest way would be to use a Reverse Proxy that supported TLS 1.2 (if you had one handy), not sure why I didn’t think of that before. Point the SW box to the RP, restrict the SW box to private traffic only and RP the SW public traffic, easy. I will try it tomorrow when I get into work, Alex,
Also this post has been updated, looks like SW team have provided further info and a patch 
Where was the post updated? Patch? Can you give a link?
Unless I’m missing something or not comprehending I don’t see a patch or way to enable TLS 1.2 for Spiceworks? I just see some people talking about other issues and asking the same questions relating to TLS 1.2?
Sorry, my bad (2x); 1.) wrong link, it was this one http://community.spiceworks.com/topic/530277-spiceworks-patch-to-fix-openssl-vulnerability?page=2 2.) and its an old post (didn’t see the 2014 date) from Ben.B. dERP!
