When developing integrations with external services (REST, SOAP), there is often the need to use specific SSL protocols, namely:
- TLS 1.1
- TLS 1.2.
While trying to use those API’s in OutSystems applications, such attempts to integrate may not work, and produce errors like:
- The request was aborted: Could not create SSL/TLS secure channel.
- Unsupported procotol. You need to enable TLS X.X to use this API
(other types of errors may occur, related to the required SSL protocols)
TLS 1.0 is no longer secure. Exploits exist to downgrade a connection based on TLS 1.0 to an older version of the protocol. There is no active exploit affecting all of TLS 1.1, but the downgrade attack works on some versions and installations and academically speaking, TLS 1.1’s hash functions are under threat.
If using an older SSL/TLS protocol revision you could have someone sitting on the line and taking in your data while absolutely nothing about the connection indicated it. A compromised secure connection is no different from an insecure connection, but may give a false sense of security.
The revision and deprecation of protocols is an expected, occasional thing, as encryption techniques improve and processing speeds increase over time. This deprecation and notice is for our customers’ security. Anyone keeping up with the latest developments will already be secure, but those who have not kept up to date could end up using an insecure method.
What is TLS?
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third-party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).
- TLS 1.1 Spec: http://tools.ietf.org/html/rfc4346
- TLS 1.2 Spec: http://tools.ietf.org/html/rfc5246
- Vulnerabilities prompting moving from TLS 1.0/1.1: https://www.globalsign.com/en/blog/poodle-vulnerability-expands-beyond-sslv3-to-tls/
- TLS 1.1 uses a combination of SHA-1 and MD5 by default, whereas TLS 1.2 uses SHA-256. Academically speaking, an attack on TLS 1.1 is sitting somewhere between “will be plausible in a few years” to “actively in-use by nation states.”