TLS 1.3 support

Yeah, pretty sure. FME (on windows) uses OpenSSL. In FME 2023.1 I can see the version of OpenSSL is 3.0.10. OpenSSL was introduced to OpenSSL back in version 1.1 or something.

You can turn on debug logging in FME and send an HTTP request to server an see which protocol gets used in the log message.

I just pinged an FME Cloud instance running FME Server 2022 from FME Desktop 2023.1. This was in my log file:
 

HTTPCaller (HTTPFactory): [1]: HTTP info: TLSv1.3 (IN), TLS handshake, Server hello (2):
HTTPCaller (HTTPFactory): [1]: HTTP info: TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
HTTPCaller (HTTPFactory): [1]: HTTP info: TLSv1.3 (IN), TLS handshake, Certificate (11):
HTTPCaller (HTTPFactory): [1]: HTTP info: TLSv1.3 (IN), TLS handshake, CERT verify (15):
HTTPCaller (HTTPFactory): [1]: HTTP info: TLSv1.3 (IN), TLS handshake, Finished (20):
HTTPCaller (HTTPFactory): [1]: HTTP info: TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
HTTPCaller (HTTPFactory): [1]: HTTP info: TLSv1.3 (OUT), TLS handshake, Finished (20):
HTTPCaller (HTTPFactory): [1]: HTTP info: SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
HTTPCaller (HTTPFactory): [1]: HTTP info: ALPN: server accepted h2
HTTPCaller (HTTPFactory): [1]: HTTP info: Server certificate:
HTTPCaller (HTTPFactory): [1]: HTTP info:  subject: C=CA; ST=British Columbia; L=Surrey; O=Safe Software Inc; CN=*.fmecloud.com

So at least the HTTPCaller uses TLS 1.3

There are, however, a number of way which FME makes calls to the web. For example there are a number of Python based formats and tools (e.g., S3Connector). It could be that some of there for some reason do not support TLS 1.3, however, I would be very surprised.

 

Thanks Matt, that’s very helpful.

When I have debug logging on I don’t see anything about TLS. I get:

This is a successfull call.

However, we have been provided another server that is causing an issue, and they have just informed us that TLS 1.2 is not supported on this. This is the log when I call that:

I presume FME is reliant on Operating System settings for this kind of thing and I have to get our IT on to it.

Thanks

Keith

I’ve just done a bit more reading on TLS 1.3 and Windows, and as per this article:

https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-

TLS 1.3 is not supported on any version of Windows 10.

Pretty sure this is my problem, and don’t like my chances of getting IT to sort this out until 11 is installed.

Oh good find. Strange that it not supported on Windows 10. Certainly a good reason to upgrade to Windows 11. Is the service you want to connect to required 1.3? I wonder if they know that this means no system running Windows 10 can use it.
 

It only seems to affect the API endpoint where we are trying to POST data to. Browsing to the home page is fine with a Windows 10 machine. Interestingly in the browser (Chrome & Edge), the API endpoint is deemed not secure before authenticating. Once authenticated it is deemed as secure.

I presume the problem we have with the FME HTTPCaller is that it has to connect securely before authenticating.

A colleague has sketched up a workaround using a PythonCaller to make the HTTP request, and this seems to be able to connect successfully, particularly if we provide the certificate as one of the parameters.

Interesting - have you played around with the Advanced Security settings in the HTTPCaller

There are a couple of options there. One about weather or not to verify the certificate and another to lower the minimum encryption strength. Perhaps the service is using a weak encryption method that you OS doesn’t like. 

Sometimes it is really helpful to check the Qualys SSL Report, e.g.:

https://www.ssllabs.com/ssltest/analyze.html?d=community.safe.com&hideResults=on&latest

This shows in all details which versions the server supports, which certificates are used and if everything is in order on the server side.

But of course this is only possible if the Webserver you want to check is reachable from the internet.

To check internally, use a linux or Windows with WLS or some software like MobaXTerm which provides a linux shell and run the command:

openssl s_client -connect community.safe.com:443

So you can rule out most server side problems and narrow problems to the client system/software...