TFS 2013 SSL Seetings on build and release server - tfs

Currently we are running TFS2013 version. As per our organization support standards we are no longer recommended to enable SSL 2.0 & SSL 3.0 and as an alternative to SSL, need to implement the strongest proven version of TLS when encrypting a data transmission via ftp, the web, email or other technologies.
If we disable the SSL and implement the TSL will it affect the TFS builds or release in any way?

Related

TLS / SSL implementation for Desktop applications developed using Delphi

I have a desktop client/server application. Both client and server are developed using Delphi 10.2. Application server has been deployed as a Windows service.
My requirement is to implement TLS/SSL to secure the communication between client and server. For this I have used Indy with TIdServerIOHandlerSSLOpenSSL on the server side and TIdSSLIOHandlerSocketOpenSSL on the client side.
For testing purposes, I have used self-signed certificates.
During testing of this setup , I had to setup OpenSSL on each client workstation. Also, I copied libeay32.dll and ssleay32.dll to the system32 folder.
So part of the problem is:
Could this configuration of client workstations be avoided? My understanding with TLS/SSL is that it is server which needs to be configured to enable TLS/SSL.
Since my testing is based on self signed-certificates, I did not install any certificate on client machine. What is the role of certificates for the client machine?

OPSHub installation issue

We are using OPSHub free version for migrating On-Premises TFS 2013 to cloud (VSO 2015).
During Opshub installation we got an error message "Unable to connect to remote server, check the internet connectivity or Proxy settings and try again".
We found the following link http://www.opshub.com/main/ovsomu-proxy regarding this issue and we contacted our network team to get the proxy server details (to put them in the environment variable _JAVA_OPTIONS), but they would like to know how Opshub connects to internet and all the inbound and outbound connections from Opshub, which port it uses and if the data is encrypted during installation and migration etc. Can Opshub support help us out in providing this information?
OpsHub use the standard VSTS ports of https which is encrypted with SSL. There are no inbound coms.
I would however not recommend the OpsHub tool as you will quickly run into an upsell from them. If it works for you then awesome, but if they as you for money then switch to the TFS Integration Tools that are free and supported by the TFS product team.
Yes, OVSMU requires to connect to the OpsHub website during installation for Verification Code generation process. (Thereafter, it does not connect to our website)
Once, the utility has been installed, it occupies two ports 8989 and 9090 as long as the tool is running. For communication with end points, it uses the default TFS and VSTS ports.

How to get PAT from on-premise TFS2015

We want to migrate our custom steps from XAML build to new build task in TFS2015 on-premise. I installed NodeJS and tfx-cli but when tfx-cli want to connect to TFS I need to provide pat (personal access token) but I cannot find where I can get it. All samples is for VSO but not for on-premise TFS2015. Is it possible to get PAT from on-premise TFS2015?
TFS 2015 doesn't support Personal Access Tokens, this feature was introduced with TFS 2017. In the mean time you'll either need to configure basic auth and use that (only enable basic auth if your TFS server is running over SSL), Or use the trick below to trick the command lien tools to authenticate by lettign an NTLM proxy (like Fiddler) handle the auth for you.
If you do not want to configure Basic Authentication on your TFS server (which many people don't want due to security concerns), then you can use a neat trick to let Fiddler handle your authentication:
Then enter:
C:\>set http_proxy=http://localhost:8888
C:\>tfx login --auth-type basic --service-url http://jessehouwing:8080/tfs/DefaultCollection
You'll be prompted for a username and a password, it doesn't really matter what you enter, fiddler will handle the authentication for you in the background:
More detailed steps outlined on my blog.
If you're battling self-signed certificates, which is also a common problem when using tfx against a on-premise TFS server, make sure you're using a recent enough version of Node and point it to an aditional cert store using environment variables:
As of Node.js 7.3.0 (and the LTS versions 6.10.0 and 4.8.0) it is now possible to add extra well-known certificates to Node.js with an environment variable. This can be useful in cloud or other deployment environments to add trusted certificates as a matter of policy (as opposed to explicit coding), or on personal machines, for example, to add the CAs for proxy servers.
See the CLI documentation for more information on using NODE_EXTRA_CA_CERTS, as well as the original pull-request.
NODE_EXTRA_CA_CERTS=file#
Added in: v7.3.0
When set, the well known "root" CAs (like VeriSign) will be extended with the extra certificates in file. The file should consist of one or more trusted certificates in PEM format. A message will be emitted (once) with process.emitWarning() if the file is missing or malformed, but any errors are otherwise ignored.
Note that neither the well known nor extra certificates are used when the ca options property is explicitly specified for a TLS or HTTPS client or server.
There's another option for tfx-cli to connect to the TFS instance, and it is basic authentication. Just use the following format:
tfx login --auth-type basic --username myuser --password mypassword --service-url http://tfscollectionurl
Here is the quote from Github:
You can alternatively use basic auth by passing --auth-type basic
(read Configuring Basic Auth). NTLM will come soon.
Note: Using this feature will store your login credentials on disk in
plain text.

How hard is it to enable TFS to use SSL?

How hard is it to enable TFS to start using secure connections, if its not already? Does doing so affect SQL configuration also? How can we force SSL to be required?
Im looking over this reference material
https://msdn.microsoft.com/en-us/library/aa833872%28v=vs.120%29.aspx#DisAd
Reading the above, I get the impression that MS is trying to discourage someone from using SSL for TFS over the internet?
Then I stumbled on to this blocg post
http://www.jwsecure.com/2009/01/29/using-tfs-via-the-internet/
Summary = just get a ssl cert and force ssl and port-forward a high port to 443
thoughts?
Firstly, the MSDN article you posted above shows you the detailed steps on how to set up HTTPS with SSL for TFS. To summarize main steps include:
Install a certification authority, obtain and install a server certificate for servers.
Request, install and configure websites with a certificate for Team Foundation Server using Internet Information Services (IIS) Manager.
Configure Team Foundation Server to require HTTPS and SSL.
Install the certificate on client computers.
You can also check this walkthrough: https://msdn.microsoft.com/en-us/library/aa833873.aspx
Secondly, you don't need to configure SQL Server. But if you have SQL Reporting Service, you need to configure it to support HTTPS with SSL.
Thirdly, to enable TFS to be available with external connections, you need to configure it with HTTPS with SSL. Also with it, web connections to TFS are more secure. However, these process needs more administrator's configuration & maintenance work. So you need to determine whether to use it based on your requirement.

DataSnap standalone HTTPS server (EXE) - OpenSSL support for TLS v1.2

I have a standalone (EXE) DataSnap server written in Delphi XE6 which I've secured with an SSL certificate using the OpenSSL DLLs. When I test the connection to the server I can see that it supports TLS v1.0. I now need to ensure the server can support TLS v1.2 (e.g. to support connections from iOS9 apps). However I can't see how to enable this. I've made the Windows registry changes to the (Windows 2008R2) server to enable TLS v1.2 but I guess this only affects IIS apps.
Can anybody show me how to enable TLS v1.2 within the Windows OpenSSL DLLs? I'm using version 1.0.2d of the DLLs. Or is there something within the DataSnap server component properties that needs to be changed?

Resources