OneSpan Sign Developer: Dropping Support for TLS 1.0
As of last September 10, 2018, OneSpan Sign has completely dropped support for Transport Layer Security 1.0 (TLS 1.0) for all HTTPS connections in both the Product and Sandbox environment. In this blog, we will review SSL/TLS, talk about why TLS 1.0 is no longer considered a secure protocol, and help you check whether you are affected by this drop. If your deployment of OneSpan Sign is affected, we’ll demonstrate how you can transition your environment to drop TLS 1.0 and enable support for TLS 1.1 or a higher version in PHP, Ruby and Node.js.
For Java and .Net environment, you can refer to our previous blog: OSS and TLS Communication: What's the Latest?
TLS 1.0 Is No Longer Safe
TLS is a protocol that provides privacy and data integrity between two applications that communicate. TLS 1.0 was released in 1999 and has been around for 20 years. For years, the industry has known that this version is vulnerable to attacks, such as BEAST and POODLE. In addition, it supports weak encryption and can no longer protect today's network connections.
In order to align with industry best practices, OneSpan Sign has dropped support for TLS 1.0. Now the minimum transport protocol version is TLS 1.1, but TLS 1.2 is strongly recommended.
Updating TLS in PHP
Step1:
PHP uses the system-supplied cURL library (cURL 7.34.0 or later), which requires OpenSSL 1.0.1c or later. You can use below script to retrieve this information:
echo json_encode(curl_version(), JSON_PRETTY_PRINT);
If your cURL and OpenSSL version are older than the minimum requirement, you might need to update your SSL/TLS libraries.
Step2:
To verify your current default TLS version, you can make a test request with “curl” to “howsmyssl” by using following script:
<?php $ch = curl_init('https://www.howsmyssl.com/a/check'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $data = curl_exec($ch); curl_close($ch); $json = json_decode($data); echo $json->tls_version; ?>
This script will then display the TLS version used to connect. If your OpenSSL version supports, you can add this line to explicitly set your TLS version:
curl_setopt ($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_1); //TLS 1.1 curl_setopt ($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2); //TLS 1.2
Updating TLS in Node.js
Step1:
Node.js also uses the system supplied OpenSSL, which requires OpenSSL 1.0.1c or later. The following command can be used to verify your OpenSSL version linked to your Node.js:
node -p process.versions
Step2:
We still use “howsmyssl” as a request test. You can use below snippet to yield your current default TLS connection version:
var https = require('https') var options = { hostname: 'www.howsmyssl.com', port: 443, path: '/a/check', method: 'GET', } https.request(options, res => { let body = '' res.on('data', d => body += d) res.on('end', () => { data = JSON.parse(body) console.log('SSL Version: ' + data.tls_version) }) }).on('error', err => { console.warn(err) }).end()
In your request options, you can also assign secure protocol version you want in your request option by:
secureProtocol: "TLSv1_2_method" //TLS 1.2 secureProtocol: "TLSv1_1_method" //TLS 1.1
Updating TLS in Ruby
Step1:
TLS 1.1& 1.2 support was added to Ruby in v2.0.0. Just like PHP and Node.js, Ruby requires a system-supplied OpenSSL and the minimum version is 1.0.1c.
To verify the version of OpenSSL currently installed with Ruby, you can use the following command:
ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
Step2:
In Ruby, you must still connect to “howsmyssl” endpoint to get a connection report:
require "net/https" require "uri" require "json" uri = URI.parse("https://www.howsmyssl.com/a/check") http = Net::HTTPS.new(uri.host, uri.port) http.use_ssl = true resp = JSON.parse(http.request(Net::HTTP::Get.new(uri.request_uri)).body) puts resp['tls_version']
And the SSL version can be set in this way:
http.ssl_version = :TLSv1_1 //TLS 1.1 http.ssl_version = :TLSv1_2 //TLS 1.2
Moving Forward with TLS 1.1
Inevitably, old versions of applications need to be retired one day for one reasons or another, and TLS 1.0 was retired for security reasons. Therefore, it’s imperative that you update your version to at least TLS 1.1, though TLS 1.2 is preferable. For those security reasons, customers who use TLS 1.0 are no longer able to access OneSpan Sign service until they update their version.
If you have any questions regarding this blog or anything else concerning integrating OneSpan Sign into your application, visit the Developer Community Forums. Your feedback matters to us!