Today, we released version 3.0 of the Duo Authentication Proxy. The release notes in the documentation are available here, but here is a quick overview of the notable changes:
Default minimum TLS version moved to TLSv1.2
- To improve the security of our product, we have moved our default minimum TLS version for the Duo Authentication Proxy from SSLv3 to TLSv1.2. This change only affects versions Authentication Proxy versions 3.0 and newer.
- This change only affects Authentication Proxy configurations using a
- If you wish to use older protocols (specifically, SSLv3, TLSv1.0, or TLSv1.1) with Authentication Proxy version 3.0 or newer, you will need to edit your proxy configuration file to include the
minimum_tls_versionparameter and a specified TLS version. This parameter requires Authentication Proxy version 2.12.0 or newer.
If your applications can only use TLS protocol versions older than TLSv1.2, your authentication workflow will not work if you upgrade to Authentication Proxy version 3.0 and do not configure this parameter.
- If you do not upgrade your Authentication Proxy to version 3.0 or newer, you do not need to define a minimum TLS version to continue using older protocols. However, we always recommend using the most up-to-date version of our software to ensure you have the latest features and security improvements.
Linux Authentication Proxy running under a secure user account
- Versions 3.0 and newer of the Duo Authentication Proxy for Linux now default to creating a non-privileged user account (duo_authproxy_svc) to run the Authentication Proxy under. This user account name is customizable.
- Prior to this change, it defaulted to the “nobody” user account.
Log folder permissions for the Linux Authentication Proxy
- When Authentication Proxy 3.0 or newer is installed on a Linux system, it will create a group (duo_authproxy_grp) and assign the logs folder and all of its files as readable only by this group. This group name is customizable.
- Prior to this change, the log directory was readable by all users.
- Administrators that use a SIEM that is reading from these logs, may no longer be able to read these log files. They will have to add the user their SIEM process is running under to the same group that has permission to read the Authentication Proxy logs.
Miscellaneous bugs were also resolved. Learn more in the release notes.