OpenSSL and TLS/SSL protocols used by Alpha Anywhere
OpenSSL and TLS/SSL protocols supported by current and past versions of the Alpha Anywhere web server products.
Use OpenSSL 1.1.1
OpenSSL will support 1.1.1 until September 11, 2023. Alpha Software provides updates to Alpha Anywhere subscribers whenever OpenSSL makes a new release. Currently, Alpha Software is shipping OpenSSL 1.1.1d (accurate as of 1/9/2020).
The exact protocols and ciphers used can be precisely configured using an OpenSSL cipher list. The following cipher list is the default cipher list used (updated 8/2/2016) and results in an A+ rating using the Qualys SSL Server test at https://www.ssllabs.com/ssltest/ (tested 8/2/2016)
The default SSL cipher list can be retrieved using the Xbasic function httpd_DefaultCipherList().
? httpd_defaultCipherList() = "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
The Alpha Anywhere Application Server for IIS does not use OpenSSL for serving TLS/SSL-secured applications, and instead leverages the TLS/SSL support built-in to the Windows operating system. Protocol and cipher support varies based on the operating system version, but does not include TLS 1.1 and 1.2 before Windows 2008 R2. (https://blogs.msdn.microsoft.com/kaushal/2011/10/02/support-for-ssltls-protocols-on-windows/)
Window's TLS/SSL settings are all configured through registry entries and Group Policy. IIS Crypto from Nartac Software (https://www.nartac.com/Products/IISCrypto) is a very useful third-party product for configuring Windows settings that control protocols and ciphers with a graphical interface.
OpenSSL is still used for client functionality within the Alpha Five Application Server for IIS, such as secure database drivers and outbound HTTP access using the http_* Xbasic functions.
Use OpenSSL 1.0.1
OpenSSL will end support for 1.0.1 on December 31, 2016. No further releases of 1.0.1 will be made after that date. Security fixes only will be applied to 1.0.1 until then. Additionally, Alpha Software is no longer making OpenSSL updates available for Alpha Five v11 and the Alpha Five Application Server v11 as these are no longer supported by Alpha Software. Alpha Software Customers are strongly encouraged to upgrade to Alpha Anywhere before December 31, 2016.
Use OpenSSL 0.9.8
OpenSSL ended support for the 0.9.8 release on December 31, 2015. This means that no security issues have been addressed since that time, and will not be addressed by OpenSSL. As such, no SSL sites using these older releases can be considered secure. Customers are strongly encouraged to upgrade to Alpha Anywhere at the earliest time possible.