Security update for HTTPS connections
FAQ dedicated to updating TLS protocols and ciphers used
I need help with
Scope and Dates
What will happen?
From October 8, 2024, in a production environment, and May 8, 2024, in a quality environment, all our communications made available via HTTPS (APIs, web services, AS2, AS4, web portals) will only allow connections via TLS 1.2 or 1.3 and only with one of the following Cipher Suites:
TLS Version OpenSSL cipher Names IANA cipher names TLS 1.2 ECDHE-ECDSA-AES256-GCM-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS 1.2 ECDHE-ECDSA-AES128-GCM-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS 1.2 ECDHE-RSA-AES256-GCM-SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2 ECDHE-RSA-AES128-GCM-SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2 ECDHE-ECDSA-CHACHA20-POLY1205 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS 1.2 ECDHE-RSA-CHACHA20-POLY1205 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS 1.3 TLS-AES-256-GCM-SHA384 TLS_AES_256_GCM_SHA384 TLS 1.3 TLS-CHACHA20-POLY1305-SHA256 TLS_CHACHA20_POLY1305_SHA256 TLS 1.3 TLS-AES-128-GCM-SHA256 TLS_AES_128_GCM_SHA256 This means that, in order to communicate with our services via HTTPS, you will need to support one of these versions of TLS and one of these ciphers.
Communications that do not use HTTPS will not be affected by this change.
When will it happen?
This update will have two dates, depending on the environment:
– 05/08/2024 – Quality Environment
– 08/10/2024 – Production Environment
What should I do?
You must ensure the compatibility of your implementation with these new security requirements. To this end, we recommend that the next steps are:
– Contact your IT department or technology partner, to report this update, so that they can start this process.
– Verification of how your systems access our applications, namely which version of the protocol is used in communication.
– Update of the protocol version if necessary.
What happens if I don't update?
If you do not ensure that you support one of these TLS versions and one of the Ciphers Suites indicated, you will no longer be able to connect to our services (web portals, APIs, AS2 and AS4 channels). In this case, you will no longer be able to send and receive documents.
It is essential that you guarantee the support of these protocols.
Which SOVOS Saphety applications will be affected?
The applications and services affected by this update will be the following:
– Saphety Invoice Network Portal
– EDI Portal (SaphetyDOC)
– Saphety DOC+
– TicketBai
Why move to newer TLS versions?
Due to several vulnerabilities detected, the Internet Engineering Task Force (IETF) explicitly announced that TLS 1.0 and TLS 1.1 should not be used and both have been discontinued.
Therefore, for security reasons, it is mandatory to upgrade to TLS version 1.2 or 1.3 in order to obtain a higher cipher suite and more secure communication.
TLS protocol
What is Transport Layer Security (TLS)?
TLS is the cryptographic protocol that provides communication security for all current websites, created to allow confidentiality and data security in internet communications.
It was proposed by the Internet Engineering Task Force (IETF), an international standards organization, and the first version was published in 1999. The most recent is version TLS 1.3, published in 2018.
The TLS protocol has three main functions: Encryption, Authentication and Integrity.
– Encryption: using cryptographic algorithms, it encrypts data in transit so that third parties cannot access it.
– Integrity: ensures that data has not been tampered with.
– Authentication: guarantees authenticity of the communicating parties.
What is the difference between TLS and HTTPS?
HTTPS is the implementation of TLS over the HTTP protocol, which is used by all websites and most web services. All websites that use HTTPS use TLS encryption.
Security requirements
What are the new security requirements?
With this update, all our communications made available via HTTPS (APIs, web services, AS2, AS4, web portals) will only allow connections via TLS 1.2 or 1.3 and only with one of the following Cipher Suites:
TLS Version OpenSSL cipher Names IANA cipher names TLS 1.2 ECDHE-ECDSA-AES256-GCM-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS 1.2 ECDHE-ECDSA-AES128-GCM-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS 1.2 ECDHE-RSA-AES256-GCM-SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS 1.2 ECDHE-RSA-AES128-GCM-SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS 1.2 ECDHE-ECDSA-CHACHA20-POLY1205 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS 1.2 ECDHE-RSA-CHACHA20-POLY1205 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 TLS 1.3 TLS-AES-256-GCM-SHA384 TLS_AES_256_GCM_SHA384 TLS 1.3 TLS-CHACHA20-POLY1305-SHA256 TLS_CHACHA20_POLY1305_SHA256 TLS 1.3 TLS-AES-128-GCM-SHA256 TLS_AES_128_GCM_SHA256 This means that, in order to communicate with our services via HTTPS, you will need to support one of these versions of TLS and one of these ciphers.
Communications that do not use HTTPS (e.g. SFTP, or plain HTTP) will not be affected by this change.
Compatibility
How do I know if I can support these new security requirements?
To ensure that you have a way to test the support of these security configurations, and ensure that your service is not interrupted, we provide temporary endpoints with the same configurations, versions and ciphers that we will apply to the real endpoints.
This allows testing to be carried out now and ensuring compatibility with new configurations before the full implementation of these new policies.
See the document that describes some processes and tools that you can follow to analyze connections and verify support for these new security settings at the network and operating system level.
Find the endpoint you currently use here, and see which temporary endpoint is corresponding, so you can use it to verify communications, with the new security requirements.
Ensuring communication via these temporary endpoints will ensure that you will not have problems on the dates when we apply the new security configurations.
You can, if you wish, use these temporary endpoints to submit documents and check that the entire process works. Please note that you must revert to the real endpoint once communication is guaranteed.
IMPORTANT NOTES:
– Temporary endpoints will process all documents sent here, in the same way as the endpoints you already use. We therefore recommend that, for the production environment, you submit documents that you really want to process or documents with invalid formats or data, to give an error in validations, but still allow you to test the communication channel.
– After testing, and once communication has been ensured, you should return to using the services’ real endpoints, as these endpoints are temporary and only for testing purposes. They will be discontinued after the transition to the new security settings.
Temporary endpoints to allow early testing can be consulted here.
How to check your browser compatibility?
Via your browser you can use several online tools that check your browser’s compatibility with different versions of the TLS protocol and supported ciphers (for example: https://browserleaks.com/tls or https://clienttest.ssllabs.com:8443/ ssltest/viewMyClient.html )