This article was last updated on August 15, 2019 – Please visit this page often for the latest information.
Citrix ShareFile operations will disable Transport Layer Security (TLS) v1.0 and v1.1 on October 31st, 2019. This will prevent customers still using TLS v1.0 and v1.1 from accessing some of their services. Action is required prior to October 31st, 2019 to prevent any disruption.
Citrix ShareFile supports security best practices including our Transport Layer Security (TLS) implementation for the various components. There are no known security vulnerabilities in our implementation as of the date of this article. However, we understand that security is very important, and in some cases, customers will need to update their TLS implementation, particularly disabling TLS v1.0 and/or v1.1 to meet security best practices and compliance.
This article will describe how customers can leverage Citrix ShareFile components that supports TLS v1.2 and specific dependencies on web browsers, mobile platforms and development environment for API and SDK consumers.
TLS stands for “Transport Layer Security.” It is a protocol that provides privacy and data integrity between two communicating applications. It’s the most widely deployed security protocol used today replacing Secure Socket Layer (SSL), and is used for web browsers and other applications that require data to be securely exchanged over a network. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification. The versions of TLS, to date, are TLS 1.3, 1.2, 1.1 and 1.0.
TLS v1.0 when not configured correctly can be vulnerable to well-known attacks such POODLETLS,CRIMEand DROWN. References:
Citrix ShareFile is not vulnerable to the known attacks described above given that the TLS implementation is current. For specific technical details on current supported levels, please see:
SSL Labs Test Result for ShareFile
Citrix ShareFile operations will disable TLS v1.0 and v1.1 on October 31st, 2019. This will prevent customers still using TLS v1.0 and v1.1 from accessing some of their services. Action is required prior to October 31st, 2019 to prevent any disruption.
Customers need to upgrade their applications to a version that supports TLS v1.2 or above. Otherwise, customers can experience disruption or lose access to the service. For customers that have updated their environment to allow TLS v1.2 and higher only, the following information can help determine the minimum versions of various components to support the environment. Any version lower than the listed TLS 1.2 supported versions below will experience disruption once TLS 1.0 and 1.1 is disabled.
1) ShareFile Clients and Plug-ins
To identify the specific version of the clients, the following can be used in general:
- Windows – Navigate to ‘Add or Remove Programs’ and click the Citrix Files or ShareFile application to see which version is installed.
- macOS- In the applications folder, find the Citrix Files / ShareFile application, right click and select ‘Get Info.’ There will be a line entry for ‘Version:’
Specific methods for each client is also listed below
|Clients or Plug-ins||TLS 1.2 Supported Versions||Additional Notes||Client Version Identification|
|Citrix Files for Windows||4.X and higher||Latest release: Citrix Files for Windows||Select ‘Help’ from the Dashboard. At the top of the help page you will see the version number.|
|Citrix Files for Mac||4.X and higher||Latest release: Citrix Files for Mac||Select ‘Help’ from the Dashboard. At the top of the help page you will see the version number.|
|Citrix Files for Outlook||6.X and higher||Latest release: Citrix Files for Outlook||Select ‘Help’ from the Citrix Files for Outlook ‘Options’ menu. On the top you will see the version number.|
|ShareFile Sync for Windows||3.14 and higher||Latest release: ShareFile Sync for Windows||Select ‘Preferences’ from the Dashboard. In the Preferences UI, select ‘About.’ On the left hand side you will see the version number.|
|ShareFile Sync for Mac||3.0 and higher||Latest release: ShareFile Sync for Mac||Select ‘Preferences’ from the Dashboard. In the Preferences UI, select ‘About.’ On the left hand side you will see the version number.|
|ShareFile Drive Mapper||Dependent on .NET Framework v4.6.2 and higher||Latest release: ShareFile Drive Mapper
.NET Framework download link
|Right click the Drive Mapper tray icon, select ‘settings.’ In the Setting UI select ‘about’. The version number will be in the center of the UI.|
|Print to ShareFile||2.8.97 and higher||Software details here||Select the ‘Help’ icon (?) in the upper right hand corner of the app. On the top right hand side you will see the version number.|
|ShareFile Desktop App for Windows||1.18 and higher||Software details here||Select the ‘Help’ icon (?) in the upper right hand corner of the app. On the top right hand side you will see the version number.|
|ShareFile Desktop App for Mac||N/A Product End of Life (EOL)||N/A||N/A|
2) ShareFile Mobile Apps
|Mobile Apps||TLS 1.2 Supported OS Platforms||Additional Notes|
|ShareFile Android App||Android 5 and higher||Software details here|
|ShareFile iOS App||iOS 10 and higher||Software details here|
|ShareFile Windows Phone App||Windows Phone 10 and higher||Software details here|
3) ShareFile StorageZones Controller and Tools
|Components||TLS 1.2 Supported Versions||Additional Notes|
|StorageZones Controller||5.3.1 and higher
||Latest release: here (Sign In to access restricted downloads)
Configuration guidance with NetScaler here
To identify StorageZones Controller’s version see this KB article.
Upgrade guide here.
|User Management Tool (UMT)||1.8.1 and higher for non Policy Based Administration (PBA) accounts
1.12 and higher for PBA accounts
|Software details here|
|ShareFile Data Migration Tool||3.2 and higher||Software details here|
|ShareFile Command Line Interface (SFCLI)||N/A||SFCLI will need to be updated with PowerShell SDK. More details can be found here.|
|ShareFile V1 API||N/A||ShareFIle V1 API will need to be updated with V3 API. The migration guide can be found here.|
|Enterprise Sync||N/A Product approaching End of Life (EOL)||Details here.|
4) ShareFile API and SDK
ShareFile API will negotiate for the highest supported version first starting with TLS v1.2 before trying lower versions of TLS. It will prevent a deliberate downgrade if a higher TLS version is supported.
For ShareFile SDKs, .NET Framework 4.6.2 and higher is needed to support TLS v1.2 by default. The latest .NET Framework can be downloaded here.
|When will ShareFile disable TLS v1.0 and TLS v1.1?||TLS v1.0 and v1.1 will be disabled on Oct 31st, 2019.|
|Is ShareFile vulnerable to known TLS vulnerabilities?||As of writing, there are no known vulnerabilities. This can be independently verified through SSL Labs. You can use your subdomain (eg. company.sharefile.com) to be tested with SSL Labs: https://www.ssllabs.com/ssltest/index.html|
|What should customers do to avoid TLS v1.0 and TLS v1.1 implementation when using ShareFile?||Use the above reference on ShareFile components and related dependencies (like .NET Framework 4.6.2 and higher) that supports TLS v1.2 by default. Upgrade the relevant components and prepare the environment to be ready when TLS v1.0 will be disabled.|
|How do I know what clients my employee users are using?||As an admin, you can leverage the Usage Report which will indicate the specific clients the users are using to login to your organization’s Citrix ShareFile tenant. For more details see: https://support.citrix.com/article/CTX235370|