1. Home
  2. Email Client Settings
  3. How to enable connecting to DataMotion over TLS 1.2

How to enable connecting to DataMotion over TLS 1.2

To help DataMotion customers migrate to TLS 1.2 after DataMotion stops supporting TLS 1.0 and 1.1, this article describes how DataMotion customers can enable and test TLS 1.2 connections from their endpoints to DataMotion SecureMail and Direct.

Browser-based clients accessing DataMotion SecureMail and Direct Web portals

To check that your browser supports TLS 1.2, visit https://www.ssllabs.com/ and click on Test your browser. If the result shows that your browser does not support TLS 1.2, please upgrade your browser. Please refer to https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers for more specific information on browser versions that support TLS 1.2.

DataMotion SecureMail Outlook Add-in

If you are using the Personal or Corporate version of the Outlook Add-in, please upgrade it to v5.0, available at SecureMail Download Console.

If you use an unsupported version of Outlook (2007 or below), please upgrade Outlook and DataMotion Add-In to the latest supported versions in order to continue using the Add-in.

Tagging-only version of the Outlook Add-in is not affected by this change.

DataMotion REST, SOAP (CMv4) or CMLFT APIs

In order to make sure your API client can connect over TLS 1.2, please do the following:

  1. Ensure that your code can handle TLS 1.2 connections. For example, the C# code snippet below will enable the use of TLS 1.2 on your requests:
    ServicePointManager.SecurityProtocol |= SecurityProtocolType.Tls12;
  2. Make sure that your API client uses .NET library v.4.5 or later.
  3. Enable the SCH_USE_STRONG_CRYPTO flag in the Registry, as described below.

A value of 1 causes your app to use strong cryptography. If your app targets .NET Framework 4.6 or later versions, this key defaults to a value of 1. If your app runs on .NET Framework 4.6, but targets an earlier version, you should explicitly set its value to 1:

For 32 bit systems:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

For 64 bit systems:

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

This can be also accomplished by running a PowerShell script, as follows:

Set-ItemProperty -Path ‘HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319’ -Name ‘SchUseStrongCrypto’ -Value ‘1’ -Type DWord

You can learn more specifics at https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls#the-sch_use_strong_crypto-flag

DataMotion SecureMail Gateway

If you have a DataMotion SecureMail Gateway installed on your premises, that connects to DataMotion SecureMail platform https://ssl.datamotion.com , please enable the SCH_USE_STRONG_CRYPTO flag in the Registry to ensure that your SecureMail Gateway can connect over SMTP using TLS 1.2:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

Please restart the system in order for the update to take effect.

SMTP/POP3 clients and other endpoints

If your SMTP or POP3 client (or other endpoint) does not connect over TLS 1.2, please update the Registry as described above in the DataMotion SecureMail Gateway section and restart the system.

Testing your endpoints

After making the changes described above, you can test your endpoints by connecting to a test URL, separately provided by DataMotion to all customers who may be affected by this update. Please contact support@datamotion.com if you don’t have this info.

List of supported ciphers after migration is complete

Upon the completion of migration to TLS 1.2, DataMotion will only support the following ciphers:

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
Updated on April 2, 2019

Was this article helpful?

Related Articles