ArcGIS Online TLS Changes: Alternative Testing Methods

2107
3
02-04-2019 10:37 AM
Esri Regular Contributor
9 3 2,107

As has been announced, Esri will soon remove support for TLS 1.0 and TLS 1.1 on ArcGIS Online. Esri has provided test endpoints that users can work with to check that their applications will continue to function as expected.

However, in some cases users have questions about legacy or custom apps or may want to understand how their apps behave when abstracted away from the tools that Esri has provided.

Fortunately, you can test your apps prior to the current cutoff date April 16, 2019 without the test endpoints Esri has provided. To do this, we’ll use the Fiddler web debugging tool.

Fiddler is a powerful web debugging tool that allows users to view and manipulate web sessions, and also gives us a LOT of insight into what’s happening under the hood.

Let’s compare a patched instance of ArcGIS Desktop against an unpatched instance so that we can see the difference first hand.

First, we’ll want to download and install the Fiddler tool.

Once installed, we’ll want to take the default options.

If you’re already familiar with Fiddler, open the Options dialog, click the HTTPS tab, and uncheck the ‘Decrypt HTTPS Traffic’ option.

default fiddler settings

Next, configure your app. If you’re working with ArcGIS Desktop or an application that uses .Net to manage outbound internet (WinINET), fiddler should configure Internet Explorer’s proxy options for you. If you’re testing a JAVA app, your app will need to support the ability to use an outbound proxy and be configured to do so. By default, Fiddler listens on the localhost interface on port 8888.

In this case, since I’m comparing ArcGIS Desktop, I know that I don’t need to configure an outbound proxy for this test to work.

For this test, I’ll compare the ArcGIS Online search capability in ArcCatalog.

  • Open ArcCatalog
  • From the File menu, click ‘sign in’ 
  • From the Windows menu, click the ‘Search’ option:

search

  • In the Search pane, select ‘ArcGIS Online’

online

  • Open Fiddler
  • Enter a term in the Catalog search box. Anything will do.

anything

  • Click the magnifying glass to search.
  • Check Fiddler. Select a session in fiddler:

  • On the right side, under the ‘Inspectors’ tab, click the ‘Textview’ subtab. Check for the TLS version:

  • Note that I can see that I’m using TLS 1.2 in my outbound communication – which makes sense, my instance of ArcGIS Desktop is patched!!
  • But what if it’s unpatched, or I don’t know, or I’m curious, or I’ve modified this workflow slightly to test some app OTHER than ArcGIS Desktop? What will that look like? In that case, Fiddler won’t tell us that the app is using TLS 1.2. Instead, it’ll state something else in this case, TLS 1.0.

Hopefully this helps provide some ideas as to how you can test and troubleshoot your own applications, as well as potentially validate some of ours. 

Best,

Randall

3 Comments
Occasional Contributor II

This is incredibly helpful!

I'm not up to speed when it comes to TLS or network side- security operations, so this became a great way to validate some of my other testing. Between this article and the TLS basemap test services found from this link ESRI has created for us. How To: Test ArcGIS TLS 1.2 connections to ArcGIS Online  I have been able to validate that my custom application is compliant when working with ESRI basemaps. 

Esteemed Contributor

This is great testing information!!!  Thanks Randall.

Esri Regular Contributor

Hi All,

Just pushed out another (similar) blog regarding how to perform this same validation against mobile apps. 

Enjoy!

https://community.esri.com/community/esri-software-security-privacy/blog/2019/03/12/arcgis-online-tl...