If you are relying on TLS 1.0 - please make urgent changes to switch to version 1.2. See the details below.
Transport Layer Security (TLS) is the encryption protocol used for secure communications between your API clients and API Gateway, as well as between the gateway and your service backend. TLS is also sometimes referred to as SSL - the protocol that preceded it.
There are 3 versions of TLS available at the moment: 1.0, 1.1, and 1.2. Both sides of the encryption channel can support any combination of these and negotiate the highest common standard at the beginning of the communication. TLS 1.0 is the oldest version and is vulnerable in many implementations to well-known attacks such as BEAST and POODLE. There's also some crypto issues in TLS 1.0, such as cryptographic initialization vectors (IVs) being predictable in some implementations as well.
WSO2 API Cloud supports all 3 versions: 1.0, 1.1, and 1.2 - and we highly recommend that you switch to TLS 1.1 or 1.2 on your side to ensure secure communications. TLS 1.2 is strongly recommended as the latest and the most secure version.
We will be disabling TLS v1.0 completely in January 2017.Please start your work on switching to TLS 1.2 (or at least 1.1) in both your client and backend communications. To make your readiness testing easier, we are making available a sandbox gateway (sandbox-gateway.cloud.wso2.com) that only supports TLS 1.1 and 1.2.
Library | TLS 1.1/1.2 Compatibility Notes |
Java 8 (1.8) and later | Compatible by default |
Java 7 (1.7) | See Java documentation to enable TLS 1.1 and TLS 1.2 |
Java 6 (1.6) and earlier | Not compatible with TLS 1.1 or later encryption |
.NET 4.5 and later | Compatible by default |
.NET 4.0 | TLS 1.2 not enabled by default. To enable TLS 1.2, it is possible to set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\ |
.NET 3.5 and earlier | Not compatible with TLS 1.1 or later encryption |
Python 2.7.9 and later | Compatible by default |
Python 2.7.8 and earlier | Not compatible with TLS 1.1 or later encryption |
Ruby 2.0.0 | TLS 1.2 is enabled by default when used with OpenSSL 1.0.1 or later. Using the :TLSv1_2 (preferred) or :TLSv1_1 symbols with an SSLContext's ssl_version ensures TLS 1.0 or earlier is disabled |
Ruby 1.9.3 and earlier | The :TLSv1_2 symbol does not exist in 1.9.3 and earlier. It can be patch to add that symbol and compile Ruby with OpenSSL 1.0.1 or later |
Windows Server 2008 R2 and later | Compatible by default |
Windows Server 2008 and earlier | Not compatible with TLS 1.1 or later encryption |
OpenSSL 1.0.1 and later | Compatible by default |
OpenSSL 1.0.0 and earlier | Not compatible with TLS 1.1 or later encryption |
Mozilla NSS 3.15.1 and later | Compatible by default |
Mozilla NSS 3.14 to 3.15 | Compatible with TLS 1.1, but not with TLS 1.2 |
Mozilla NS 3.13.6 and earlier | Not compatible with TLS 1.1 or later encryption |
Please contact us if you have any questions.