Checking & Changing TLS Versions

-----------------------------------

Affected Roles: Administrator, Power Users

Related Digital Watchdog VMS Apps: DW Spectrum

Last Edit: February 11, 2025

-----------------------------------

DW Spectrum and TLS Versions

When running penetration tests, multiple versions of TLS (Transport Layer Security) may be discovered. These versions are not actively in use. Rather, older versions of TLS are maintained solely for backward compatibility purposes with third-party integrations. This strategy allows developers to enhance security measures while ensuring smooth compatibility with external systems.

This article will outline how to check the current TLS version being used and how to change the default TLS version.

Checking TLS Version

Server to Client Communication

Using Wireshark, you can capture packets from one application to another, enabling you to check the traffic between DW Spectrum Server and Client applications.

To capture traffic with Wireshark:

1. Lauch Wireshark on the server machine and set the DW Spectrum Server’s IP address as the Host/Capture Filter.

2. Apply a display filter with the following parameters:

This display filter displays the TCP communication over Port 7001 (default port of the DW Spectrum Server) and the TLS protocol being used.

3. When checking the “Protocol” column, the TLS version being used will be listed.

To determine the available TLS versions and the version being used, check the Packet Details panel:

1. Under the “Length Info” column, select a Client Hello packet.
2. Find the “Transport Layer Security” information.
3. Expand the following options:

• TLSv1.3 Record Later: Handshake Protocol: Client Hello
• Handshake Protocol
• Extension: supported_versions

4. Here you will find all possible versions of the TLS protocol from the Client side, which can be used to connect to older versions of DW Spectrum IPVMS.

To verify which TLS version is used by the system and what version is used for the connection between the Desktop Client and Server:

1. Select a Server Hello packet
2. Find Transport Layer Security in the Packet Details panel
3. If you expand the content, you will see the TLS version that is used in this case, which is TLS 1.2. 

Browser to Server Communication

Using a web browser, you can check the TLS version that is being used when navigating to the WebAdmin or DW Cloud client portal.

For Firefox:

1. Open the Developer Tools (Ctrl+Shift+I)
2. Select the Network tab
3. Navigate to the WebAdmin or Cloud Client portal
4. Select the Network tab in the top bar of the Developer Tools
5. Select an item in the results and select the Security tab in the pane on the right.

**NOTE: If the Security tab isn’t available, select another item, since it isn’t applicable to all items.

6. Under Security, check the Connection and Protocol version to check which TLS protocol is used. 

For Chrome:

1. Open the Developer Tools (Ctrl+Shift+I)
2. Select the Security tab
3. Navigate to the WebAdmin or DW Cloud client portal
4. Under Security, check the results for the section Connection to check which TLS protocol is used. 

Changing the Default TLS Version Configuration Files

By default, DW Spectrum uses TLS 1.3, however it is possible to change the TLS version by changing the value in the configuration files.

**NOTE: Lowering these values has an impact on the overall security of the system and is never recommended. 

For Windows:

1. Open the Registry Editor system tool and navigate to:

2. Add a string value allowedSslVersions and put the value TLSv1.2
3. Restart the Nx mediaserver defaultMediaServer service

For Ubuntu Linux:

1. Navigate to the following file directory:

/opt/digitalwatchdog/mediaserver/etc/

2. Open the mediaserver.conf and add:

3. Restart the DW-mediaserver service

Confirming TLS Changes

To confirm the changes, use the following commands.

For Windows:

Open the Command Prompt and enter the following command:

For Ubuntu Linux:

Open the Terminal and enter the following command:

Changing the Default TLS Version with a Web Browser

Most browsers use TLS 1.2 or newer as their default value to prohibit the use of previous versions of TLS. Although it is not recommended to change these values, you can change them for backward compatibility purposes.

For Firefox:

When you navigate to about:config” and search for “security.tls.version.m”, notice that the default values are set as “3” for the minimum version and as “4” for the maximum version. This means that TLS 1.2 is used as a minimum and TLS 1.3 as the maximum. To change these values, you can use the following parameters to change minimum and maximum values.

For Chrome

Chrome doesn't have such option, but it is possible to force a certain TLS version by starting Chrome through the Terminal. 

For Windows: 

Open the Command Prompt window and enter the following command:

For macOS:

Open the Terminal window and enter the following command:

For Linux:

1. Open the Terminal window and enter the following command:

NOTE: If the values of your browser do not match with values in the mediaserver configuration file, you will be unable to connect to the system. 

For More Information or Technical Support

DW Technical Support:  866.446.3595 (option 4)

https://www.digital-watchdog.com/contact-tech-support/

______________________________________________________________________________

DW Sales:  866.446.3595                   [email protected]        www.digital-watchdog.com