[Feature Request] Enable TLS 1.2 support

[dDiverVS]

App Details:

Postman for Windows
Version 6.1.3
win32 10.0.15063 / x64

Issue Report:

1. Did you encounter this recently, or has this bug always been there: Always
2. Expected behaviour: Mutual SSL certificate based connections should be performed over TLS 1.2 by default, currently requests are based on obsolete SSLv3.

Description of the issue

I am currently trying to test a SOAP based API, this API only supports communications secured by a mutual certificate and TLS 1.2 (SSLv3 is not supported and there is no possibility to enable it).

When doing the same requests with cURL I can successfully get the responses I expect, however I cannot get Postman to work as the connection gets rejected by the endpoint.

[dDiverVS]

Is there any update on this topic?
It's been a while and I am still unable to automatize my tests in the way I'd like to.

[slaman75]

No update?

[ahmetbombaci-united]

I cannot make OAuth2.0 authentication process since it is mandatory to use TLS1.2 in the current setup

[nagelm]

I also would like to see this

[karolinanm]

Hi, postman is a great tool but I currently can't use it without TLS support (sslv3 handshake failure)...do you have any idea, when you could implement this feature?

[feratpl]

Same issue here. I currently can't use it without TLS support as i am using Self signed Certificate. Because of this issue, i am back to using the Chrome App.
Any updates on this ?

[rolfmadsen]

+1

[slaman75]

Do you have an update for when this will be released?

[meatvest]

I need TLS 1.2 in order for my existing API through Postman to continue. Can you please provide an update?

[FelixButzbach]

1+

[meatvest]

What does "1+" or "+1" mean? That you want the same thing, or that the capability will be added?

[FelixButzbach]

@meatvest it means I also would like this to be implemented or looked into.

[trev]

@prashantagarwal Is this still accurate. e.g Postman still can't connect with TLS1.2?

[FelixButzbach]

Just wanted to let you know that the error was actually on my side, a missing chain certificate :/ Sorry.

[dDiverVS]

Hi @trev , I am still experiencing the same issue, I am not sure whether postman does support TLS since some oAuth requests which only support TLS 1.2 are working for me, but it is using by default SSL which should no longer be the case:

Error: write EPROTO 101057795:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:c:\projects\electron\vendor\node\deps\openssl\openssl\ssl\s3_pkt.c:1494:SSL alert number 42 101057795:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:c:\projects\electron\vendor\node\deps\openssl\openssl\ssl\s3_pkt.c:659:

[umpc]

SSLv3 has been known to be vulnerable for over 4 years. This is surprising in late 2018.

[shamasis]

This thread has become super confusing by the way. This could also overlap with the feature request of ssl cipher customisability. The OpenSSL error messages are definitely not helpful either. One good soul compiled this gist - https://gist.github.com/64/5b10ad1e2142970fefecdaefa2b339b9 . Is there a nice error message helpful message map that I can get hold of? Anyone? :-p

[jinliming2]

Google Chrome will deprecate TLS 1.0 and TLS 1.1 in Chrome 72 and will be disabled altogether in Chrome 81.
https://security.googleblog.com/2018/10/modernizing-transport-security.html

[shamasis]

Hello everyone, I did some digging around this post. It seems that the thread has a number of stakeholders with two kinds of issues: (1) wrong protocol negotiation (2) unable to negotiate a required tls protocol.

In either case, when Postman introduced Native Apps, a majority of this was resolved since all limitations thrown by Chrome was lifted. For the remaining, TTLS 1.2 was supported in all versions of Postman Native app. (See TLS documentation for Node v6 https://nodejs.org/docs/latest-v6.x/api/tls.html (around 2016)

However there are a couple of issues that may give an impression that TLS is not working:

1. Only a specific subset of cipher suites are used and may have a mismatch during handshake
2. The default TLS configurations of underlying NodeJS is not modified (or modifiable as of now.) This results in, at times, negotiations of lower TLS versions.
3. There is not enough debugging information bubbled up to users when TLS related aspects have mismatched expectations.

Additionally, there are a number of factors that influence the negotiations of protocol as outlined at https://nodejs.org/api/tls.html

The end goal would be:

1. Expose more TLS related info with every response
2. Allow configuring TLS options so that certain aspects (ciphers, etc) can be force selected.
3. Do not disallow negotiating older SSL versions (we are not browser, we are an API development tool and as such all debugging aspects should be available) while keeping security warnings, etc.

In case, your API request is not negotiating the right version / cipher, please post additional debugging information by getting the curl command for the request using our code generator in app, but by adding the extra --verbose flag. https://ec.haxx.se/usingcurl-verbose.html

PS: Tracking this in a feature request: #5918

[nerdile]

So could someone sum up, for users who want to force a specific TLS version to be used in Postman, what the steps are they would need to take?