randall_williams-esristaff

ArcGIS Online TLS Changes: Alternative Testing Methods

Blog Post created by randall_williams-esristaff Employee on Feb 4, 2019

As has been announced, Esri will soon remove support for TLS 1.0 and TLS 1.1 on ArcGIS Online. Esri has provided test endpoints that users can work with to check that their applications will continue to function as expected.

 

However, in some cases users have questions about legacy or custom apps or may want to understand how their apps behave when abstracted away from the tools that Esri has provided.

 

Fortunately, you can test your apps prior to the current cutoff date April 16, 2019 without the test endpoints Esri has provided. To do this, we’ll use the Fiddler web debugging tool.

 

Fiddler is a powerful web debugging tool that allows users to view and manipulate web sessions, and also gives us a LOT of insight into what’s happening under the hood.

 

Let’s compare a patched instance of ArcGIS Desktop against an unpatched instance so that we can see the difference first hand.

 

First, we’ll want to download and install the Fiddler tool.

 

Once installed, we’ll want to take the default options.

If you’re already familiar with Fiddler, open the Options dialog, click the HTTPS tab, and uncheck the ‘Decrypt HTTPS Traffic’ option.

default fiddler settings

 

Next, configure your app. If you’re working with ArcGIS Desktop or an application that uses .Net to manage outbound internet (WinINET), fiddler should configure Internet Explorer’s proxy options for you. If you’re testing a JAVA app, your app will need to support the ability to use an outbound proxy and be configured to do so. By default, Fiddler listens on the localhost interface on port 8888.

 

In this case, since I’m comparing ArcGIS Desktop, I know that I don’t need to configure an outbound proxy for this test to work.

 

For this test, I’ll compare the ArcGIS Online search capability in ArcCatalog.

 

  • Open ArcCatalog
  • From the File menu, click ‘sign in’ 
  • From the Windows menu, click the ‘Search’ option:

 

search

  • In the Search pane, select ‘ArcGIS Online’

 

online

  • Open Fiddler
  • Enter a term in the Catalog search box. Anything will do.

 

anything

  • Click the magnifying glass to search.
  • Check Fiddler. Select a session in fiddler:

 

 

  • On the right side, under the ‘Inspectors’ tab, click the ‘Textview’ subtab. Check for the TLS version:

 

 

  • Note that I can see that I’m using TLS 1.2 in my outbound communication – which makes sense, my instance of ArcGIS Desktop is patched!!
  • But what if it’s unpatched, or I don’t know, or I’m curious, or I’ve modified this workflow slightly to test some app OTHER than ArcGIS Desktop? What will that look like? In that case, Fiddler won’t tell us that the app is using TLS 1.2. Instead, it’ll state something else in this case, TLS 1.0.

 

 

Hopefully this helps provide some ideas as to how you can test and troubleshoot your own applications, as well as potentially validate some of ours. 

 

Best,

 

Randall

Outcomes