IMPORTANT - SSL Certificate Renewal and SHA-2
On Wednesday February 10th 2016, Shotgun will renew the SSL Certificate for the *.shotgunstudio.com domain. In order to improve the security of our platform, the new certificate will be using SHA-2 encryption.

It was previously using SHA-1, which means this can be a breaking change for some clients using the SG API and/or SG Toolkit.

Web UI accessed through a browser should not be a problem since they have been supporting SHA-2 for a while.

Detailed Information on SSL

More Details on SSL
The purpose of the SSL Certificate is to certify users are really communicating with Shotgun. By validating a certificate against Certified Authorities, you can be sure of who you are interacting with. The certificates are encrypted, to prevent forgery.

That identity validation is one of the first step taken when establishing any secure connection (https) to a server. When users communicate with their Shotgun site(s) they are establishing a secure connection - either through the browser, Shotgun’s Toolkit, or the Shotgun API.

In order to certify the identity of the server, applications connecting to Shotgun need to be able to decrypt the SSL Certificate to ensure an authentic connection.

Why is this change necessary?
SHA-1 is known to be weaker that it’s SHA-2 counterpart, and as a result, the community has decided to deprecate SHA-1. Already, a lot of browsers are flagging this as a minor security risk. In addition, Certificate Authorities are no longer signing certificates encrypted using SHA-1.

Read more about it here: http://www.superb.net/blog/2015/02/17/ssl-certificates-sha-2-why-should-i-upgrade/

Possible Impacts

Why can this be a breaking change?
SHA-2 is a more secure, yet newer algorithm. This means older versions of Python, including Python interpreters embedded in your Digital Content Creation Tools (DCC) may not support SHA-2 correctly. We have provided a list of applications and libraries that we know to be at risk for breaking at the end of this publication. If you are using one of these tools, you may no longer be able to establish connections to your Shotgun site through Toolkit or the SG API. Even if your tools are not listed, it is better to check if you will be impacted.

How can I know if my studio will be impacted?
We’ve given users access to a small Python script that will allow you to test if you will be impacted by this change. You can run this script within any Python environment in your studio, including DCC consoles and script editors. The output will indicate if the environment will break once the SHA-2 certificate is in place and if so verify whether a workaround for the issue is possible.

Be sure to test any operating system on which Shotgun Toolkit and Shotgun API are used, as well as all DCC versions currently in use, even if not present in the list of applications at risk.

The script can be downloaded or copy and pasted from:

https://gist.github.com/robblau/01ac5b583bc9e6a00d11

My studio is impacted… now what?
We suggest that users update the version of the tool(s) being used. Since the community has embraced this transition to SHA-2, it is likely this issue has been fixed in the latest versions of these tools.
If you are unable to update for any reason, please reach out to Shotgun Support. There are known workarounds and we will inform you of alternative options.

Known Applications and Tools at risk

- Python 2.5 and below
- Python 2.6 on Windows and Mac
- OpenSSL version prior to 0.9.8o
- Maya 2013 and below (Windows and Mac)
- Motion Builder 2013 and below (Windows)
- Nuke 6.3v9 and below (Windows and Mac)
- Houdini 12.5 and below (Windows and Linux)
- Hiero 1.9v1 and below (probably Windows only) 
- Softimage 2013 and below (probably Windows only)

3 Comments


At September 30, 2016 at 5:59 AM , Blogger Andy Cuthbert said...

Hey, has something else changed recently? I'm getting SSL exceptions in Nuke all of a sudden... Cheers

 

At October 10, 2016 at 8:01 AM , Blogger Guillaume Brossard said...

Hi Andy,

It looks like AWS removed support for some older ciphers on their S3 service. Older versions of OpenSSL were using these ciphers. AWS didn't announce any changes, AWS Support told us they were not aware of any changes on the SSL/TLS support for S3. We submitted some simple and reproducible examples to them. They acknowledged the issue, said they were going to investigate and we are waiting to hear back from them. We are not sure yet if the support for these ciphers was dropped mistakenly or if they are no longer supporting them.

It looks like only the Foundry products, on Windows, are impacted.

In the meanwhile, we do have some workaround for the issue. Please open a ticket with our Support team to learn more.

 

At October 17, 2016 at 12:19 PM , Blogger Guillaume Brossard said...

Regarding the issue observed by Andy, AWS has reverted the changes they did to the supported cipher list. You should no longer see these issues. Please let us know if this is not the case.

 

Post a Comment

<< Home

<< Older Posts     Newer Posts >>

Our Story

We are industry folk who love production. A handful of us met while building...
Read More

Subscribe to Our Blog

Follow Us!