TLSv1.2

VGS has deprecated support for SSL and TLS versions less than TLS version 1.2 (TLSv1.2)

Why does this matter?

In order for your integration to continue to work, you will need to upgrade to our latest security version TLSv1.2. Older TLS versions are vulnerable to security breaches with the wrong cipher suites. Be sure to upgrade your integrations TLS version to support TLSv1.2.

Your VGS integration will stop working if you continue to use any SSL/TLS version less than TLSv1.2 beyond these dates:

  • Sandbox: March 31st, 2018
  • Production: June 30th, 2018

What is TLS?

TLS stands for “Transport Layer Security.” It provides privacy and data integrity between two communicating applications. It is used to authenticate one or both applications, and protect the confidentiality and integrity of information that passes between them.

Overtime, different versions of TLS have been released; TLS 1.2 was released in August 2008, it addresses many vulnerabilities identified in the earlier versions.

What happens if I don’t upgrade?

PCI DSS standard version 3.1 was retired in October 2016 and makes all older TLS versions (e.g. SSL v3, TLS 1.0, TLS 1.1) non-compliant. The standard requires the new TLS requirement to be implemented.

VGS has decided to proactively implement PCI DSS guidelines to provide greater protection to our clients. If you don’t upgrade your TLS version beyond the cutoff date notified to you by developer communication, you will no longer be able to use your projects in any environment.

If you have any further questions you can always reach us via site chat or email us at support@verygoodsecurity.com

How do I find which version of TLS I am using?

For example, the Java getProtocol() method in SSLSession will provide the details of TLS version you are using.

Please refer to the Java documentation for the details.

How to Upgrade:

Application

If your application does not automatically pick up TLS 1.2, you need to explicitly provide that as an override.

For example, for SoapUI tool: set -Dsopui.https.protocols property to TLSv1.2. Refer to appropriate documentation on how to set SSL version for your application .

Please refer to compatibility guidelines for the most popular Languages and Libraries:

Java

  • Java 1.6: TLS 1.2 is not supported in Oracle public updates. It is supported in the business edition starting Oracle java version 6u115 b32.
  • Java 1.7: TLS1.2 is supported. But it needs to be explicitly enabled by selecting the enabled protocols while creating the SSLSocket & SSLEngine instances.
  • Java 1.8: and later versions TLS1.2 is supported without any additional requirements.

Enable TLS 1.2:

Oracle’s Guidance: Configure Java Cryptography

Add -Dhttps.protocols=”TLSv1.2″ -Djdk.tls.client.protocols=”TLSv1.2″ to Java command line arguments which is used to launch client application. This will allow turning off support for TLS 1.1 and below on the server side completely and will support TLSv1.2.

Java client with basic URL connection: Java client with basic URL connection

Java client using Apache Http Components client: Java Apache Commons Client

Java exception in case of incorrect TLS version: Java tlsv1.2 exception

Please refer Oracle blog jdk8 tls1.2 default for more details.

Ruby

Ruby uses the system OpenSSL. OpenSSL v0.9.8 will no longer work, but later versions work without any changes required. OpenSSL v1.0.1 supports TLS 1.2 by default. With Ruby 2.0, you can test the connection with this script: Ruby tls1.2 client

Ruby exception in case of incorrect TLS version: Ruby tls1.2 client exception

Please refer to Ruby docs OpenSSL topi for more information.

Python

Just like Ruby, you should update the OpenSSL version. You can test the TLS connectivity with the following code snippet:Python tls1.2 client

Python exception in case of incorrect TLS version:Python tls1.2 client exception

Please refer Python SSL Guidance for more information

Curl

Curl supports TLS1.2 starting 7.34.0. Please use the following command to test the connection: Python tls1.2 client exception