cloudblog
2016/08/02
August 02, 2016
3 min read

WSO2 API Cloud Switching to TLS 1.1 and 1.2

If you are relying on TLS 1.0 - please make urgent changes to switch to version 1.2. See the details below.

Transport Layer Security (TLS) is the encryption protocol used for secure communications between your API clients and API Gateway, as well as between the gateway and your service backend. TLS is also sometimes referred to as SSL - the protocol that preceded it.

There are 3 versions of TLS available at the moment: 1.0, 1.1, and 1.2. Both sides of the encryption channel can support any combination of these and negotiate the highest common standard at the beginning of the communication. TLS 1.0 is the oldest version and is vulnerable in many implementations to well-known attacks such as BEAST and POODLE. There's also some crypto issues in TLS 1.0, such as cryptographic initialization vectors (IVs) being predictable in some implementations as well.

WSO2 API Cloud supports all 3 versions: 1.0, 1.1, and 1.2 - and we highly recommend that you switch to TLS 1.1 or 1.2 on your side to ensure secure communications. TLS 1.2 is strongly recommended as the latest and the most secure version.

We will be disabling TLS v1.0 completely in January 2017.

Please start your work on switching to TLS 1.2 (or at least 1.1) in both your client and backend communications. To make your readiness testing easier, we are making available a sandbox gateway (sandbox-gateway.cloud.wso2.com) that only supports TLS 1.1 and 1.2.

For backend communications:

  1. See your server manual for information on TLS configurations and configure it to use the latest possible version of TLS.
  2. Then test the communications by replacing gateway.api.cloud.wso2.com with sandbox-gateway.cloud.wso2.com in your API call. If this succeeds you are fully secure and ready for TLS 1.0 decommissioning.

For client communications:

  1. Switch to the client technology version that supports the latest version of TLS (1.2 is recommended, 1.1 is not recommended but will remain supported for now). See the table below for details.
  2. Then test the communications by replacing gateway.api.cloud.wso2.com with sandbox-gateway.cloud.wso2.com in your API call. If this succeeds you are fully secure and ready for TLS 1.0 decommissioning.
Library        TLS 1.1/1.2 Compatibility Notes
Java 8 (1.8) and later Compatible by default
Java 7 (1.7) See Java documentation to enable TLS 1.1 and TLS 1.2
Java 6 (1.6) and earlier Not compatible with TLS 1.1 or later encryption
.NET 4.5 and later Compatible by default
.NET 4.0 TLS 1.2 not enabled by default. To enable TLS 1.2, it is possible to set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319".
.NET 3.5 and earlier Not compatible with TLS 1.1 or later encryption
Python 2.7.9 and later Compatible by default
Python 2.7.8 and earlier Not compatible with TLS 1.1 or later encryption
Ruby 2.0.0 TLS 1.2 is enabled by default when used with OpenSSL 1.0.1 or later. Using the :TLSv1_2 (preferred) or :TLSv1_1 symbols with an SSLContext's ssl_version ensures TLS 1.0 or earlier is disabled
Ruby 1.9.3 and earlier The :TLSv1_2 symbol does not exist in 1.9.3 and earlier. It can be patch to add that symbol and compile Ruby with OpenSSL 1.0.1 or later
Windows Server 2008 R2 and later Compatible by default
Windows Server 2008 and earlier Not compatible with TLS 1.1 or later encryption
OpenSSL 1.0.1 and later Compatible by default
OpenSSL 1.0.0 and earlier Not compatible with TLS 1.1 or later encryption
Mozilla NSS 3.15.1 and later Compatible by default
Mozilla NSS 3.14 to 3.15 Compatible with TLS 1.1, but not with TLS 1.2
Mozilla NS 3.13.6 and earlier Not compatible with TLS 1.1 or later encryption

Please contact us if you have any questions.