Blog Archives

SwissDec 2020: TLS 1.2

As a follow-up to our December post, we are pleased to confirm that the existing transmitter SwissDecTX4 is already compatible with the latest security enhancements announced by Swissdec for 2020, however a small configuration change to the .NET Framework is necessary to enable the use of the required protocols.

Once this support is enabled, the existing SwissDecTX 4.08 transmitter starts using TLS 1.2 immediately without re-installation or redeployment.

The configuration change consists in setting registry values that direct the .NET Framework to use the latest protocols available on the underlying Operating System.

For Windows 10:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

For prior versions of Windows:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v2.0.50727]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
“Enabled”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
“Enabled”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
“DisabledByDefault”=dword:00000000

Copy the above text in a new text file that ends with a .reg extension and merge this file with the registry.

Note that TLS 1.2 is only available on Windows 7 SP1 or later, and Windows Server 2008 or later. Those operating systems then de-facto become the minimum system requirements for TLS 1.2 compatibility.

The details of the .NET Framework TLS 1.x compatibility matrix and system requirements can be found here:

https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

https://docs.microsoft.com/en-us/mem/configmgr/core/plan-design/security/enable-tls-1-2-client

Thanks to Michael Iten for helping testing on Windows Server 2008 R2!



January 2020 Security Update

EDIT: See out follow up post here!

Today December 12, 2019 we tested the current production SwissDecTX 4.08 transmitter against the newest Swissdec Reference App (“Swissdec refapps 2019.11.1 (25698) 12.12.2019 13:16:13“) which is believed to implements the latest security specifications slated for release in January 2020.

We are pleased to inform our customers that the transmitter passed all our inter-operability and transmission tests, using the ‘next’ Ref App URL pointing to the up-and-coming version of the Swissdec receiver:

https://tst.itserve.ch/swissdec/refapps/next/receiver/services/SalaryDeclarationService20130514

As of today, we do not plan to release a software update to accommodate the planned changes in the Swissdec Receiver security configuration, as the SwissDecTX 4.08 transmitter is already compatible with the January 2020 changes: the transmitter should continue to work seamlessly and does not necessitate any redeployment or changes on customer’s sites.

Be assured that we keep a close eye on the evolution of the Swissdec standard and will do our best to ensure the SwissDecTX transmitter keeps functioning reliably as the standard evolves.

Sincerely,
Axel Rietschin



SwissDecTX 4.08 Released

Geneva, July 17, 2016

Today, we announce the release of the SwissDecTX 4.08 transmitter for the Swissdec 4.0.0 directives, as part as our ongoing commitment to provide the best possible and most up-to-date Swissdec experience to our customers.

Version 4.08 introduces a new “proxy settings” option to the command-line interface of the transmitter, enabling users of this interface to specify a proxy host and port, and optionally a proxy user and password.

To that effect, a new parameter -p has been added to the PING, INTEROP, INTEROP2, TX, STATUS and DATA modes.

The syntax of the new -p parameter is as follow:

Examples:

Users of the various transmitter’s direct API always had access to proxy settings through the ITransmitter4::SetProxy() and ITransmitter4::SetProxyWithCredentials() API functions or their C# or DLL equivalent.

The proxy feature introduced in version 4.08 is non-breaking: besides the addition of the new optional -p parameter, the operation of the command-line interface is identical. No other change were made to the transmitter so v4.08 is a fully backwards compatible drop-in replacement for all previous SwissDecTX transmitter 4.x versions.

The SwissDecTX 4.08 transmitter is available for immediate download.



SwissDecTX 4.07 Released

Geneva, June 6, 2016

Today, we announce the release of the SwissDecTX 4.07 transmitter for Swissdec 4.0.0, as part as our ongoing commitment to provide the best possible and most up-to-date Swissdec experience to our customers.

Version 4.07 introduces a new “per-machine” configuration mode where the administrator can decide to install and centrally configure the SwissDecTX transmitter for all users on a given computer, as opposed to the default mode where the transmitter is configured for the installing user only.

The new mode was introduced in response to user feedback and will prove helpful in some scenarios, such as Terminal Server / Citrix deployments. Please note that the per-user configuration is still the recommended default for most uses.

The new per-machine configuration option can be selected easily from the built-in Test & Configuration utility.

Additionally, users of the command-line tool, SwissDecTX.exe, can now pass a negative argument to the INTEROP2 second operand parameter. Previously, a bug prevented negative arguments, as -o2 -1.00 was interpreted by the tool as two separate switches. Users can now surround the second operand in single-quotes to pass negative values, as in -o2 ‘-1.00’

The SwissDecTX 4.07 transmitter has been thoroughly tested against the official Swissdec 4.0.0 test distributor [itServe AG Receiver Referenz Implementation 3.0.7_1 .7s (Build 21081)], as well as against the latest Swissdec working test distributor [4.0.0-SNAPSHOT (21320) 26.04.2016 15:24:42] and found to interoperate perfectly with both versions of the distributor.

As a side note, all releases of the SwissDecTX 4.x transmitters were always compliant with the latest published Swissdec 4.0.0 recommendations. In particular, the SwissDecTX transmitter started using the recommended RSA-OAEP et AES256-CBC encryption protocols exclusively, since the first 4.0 release in late 2013, and those protocols have been successfully used in production with several certified “4.0” salary applications since early 2014.

The upcoming (June 2016) deprecation of some older protocols should no have any effect on existing SwissDecTX 4.0x transmitters, in particular, no redeployment is necessary as all existing SwissDecTX 4.0x transmitters are already compliant with the latest transmitter requirements.

The SwissDecTX 4.07 transmitter is available for immediate download.



SwissDecTX 4.06 Released

Geneva, November 2, 2014

Today, we announce the release of the SwissDecTX 4.06 transmitter, as part as our ongoing commitment to provide the best possible and most up-to-date SwissDec experience to our customers.

Version 4.06 includes a minor change to the formatting of exception codes, where the DescriptionCode has been added to the formatted text. The code is available as part of the InnerException’s XML data (which contains all the exception’s details) but is now convenently part of the formatted exception message. This change only affects users who were manually formatting the exception results.

The SwissDecTX 4.06 transmitter is available for immediate download.



SwissDecTX 4.05 Released

Geneva, October 15, 2014

Today, we announce the release of the SwissDecTX 4 .05 transmitter, as part as our ongoing commitment to provide the best possible and most up-to-date SwissDec experience to our customers.

The only change from v4.04 is a tiny enhancement to the transmission journal configuration in the “per user” mode, where the transmitter now interprets the variable %USERNAME%, if present in the journal’s path name stored in the registry, and replaces it with the currently logged user name.

Most users are not affected in any way by this change as the log is usually stored in a “per machine” location, independantly of the current user, which is the recommended setup.



SwissDecTX 4.04 Released

Geneva, September 28, 2014

Today, we announce the release of the SwissDecTX 4 .04 transmitter, as part as our ongoing commitment to provide the best possible and most up-to-date SwissDec experience to our customers.

The only change from v4.03 is a cosmetic fix in the optional XML-to-HTML conversion, were the status data for the FAK-CAF domain was not styled propely in the HTML output.



SwissDecTX 4.03 Released

Geneva, September 17, 2014

Today, we announce the release of the SwissDecTX 4.03 transmitter, as part as our ongoing commitment to provide the best possible and most up-to-date SwissDec experience to our customers.

Changes from v4.02 includes full support for the ‘Statistic’ domain that has been enabled on SwissDec (thanks to Mário Petráš from P&I AG, who kindly helped validate the feature).

The new version also delivers native support for 64-bit Windows: when deploying the SwissDecTX 4.03 transmitter on a computer running a 64-bit version of Windows, the installer will automatically deploy 64-bit components such as a 64-bit version of the command-line utility (SwissDecTX.exe) and a 64-but version of the DLL interface proxy (SwissDecTX64.dll) in addition to the 32-bit DLL proxy.

Customer applications written to take advantage of 64-bit platforms can now transmit data to SwissDec while staying entirely within the 64-bit domain. Or course, the full compatibility with 32-bit application running on 64-bit Windows is preserved, and nothing has changed regarding the 32-bit world so the SwissDecTX 4.03 transmitter is fully backward-compatible and a drop-in replacement for all previous SwissDecTX 4 versions.

This release also include minor internal adaptations in preparation for the up-coming SwissDecTX Gateway add-in, a high-performance, high-volume software gateway enabling SwissDec transmission from computers not directly connected to the internet and/or running on virtually any platform, including non-Windows operating systems. The gateway also enables high throughput local queuing of SwissDec declarations and background, decoupled transmission using a very simple yet robust file-based protocol.



SwissDecTX Gateway details released

Geneva, 7 September 2014

We are pleased to release the details of the SwissDecTX Gateway software add-in to the SwissDecTX transmitter 4.x

Designed for high-volume, performance and stability, the gateway add-in enables salary applications not running on the Windows operating system and/or not directly connected to the internet to communicate with SwissDec effortlessly, using a simple file-based protocol .

Read all the details on the new page dedicated to the Gateway add-in!



Image Gallery Added

Geneva, 9 April 2014

An image gallery has been added to the site, check it out! You will find screenshots of the Test & Configuration tool, as well as screen shots of the developer’s help file (API documentation) as well as a screen shot from our internal testing .

Note that the API documentation CHM help file for developers can be downloaded directly from this site (and is also part of the product downloads).