UIS Servers end support for TLS 1.0 on June 30, 2018
What is Transport Layer Security 1.0 (TLS 1.0)?
As stated by Wikipedia, "Transport Layer Security (TLS) – and its predecessor, Secure Sockets Layer (SSL), which is now prohibited from use by the IETF – are cryptographic protocols that provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, Internet faxing, instant messaging, and voice over IP (VoIP). Websites are able to use TLS to secure all communications between their servers and web browsers."
"TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0, and written by Christopher Allen and Tim Dierks of Consensus Development. As stated in the RFC, "the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to preclude interoperability between TLS 1.0 and SSL 3.0". TLS 1.0 does include a means by which a TLS implementation can downgrade the connection to SSL 3.0, thus weakening security."
What is UIS doing about it?
- UIS will be disabling communications with services using TLS 1.0 on June 30, 2018.
- UIS will be performing patches and updates on core university servers and those applications managed by - UIS under PUCS agreements.
- UIS will be notifying departments where issues are known so that departments can address those issues. It is the department's responsibility to resolve these issues or find reputable outside vendors who can assist them with the changes required.
Why is UIS doing this?
- The PCI Security Standards Council has declared that TLSv1.0 no longer meets minimum security standards. This is in large part due to vulnerabilities within the TLSv1.0 protocol that cannot be fixed.
- Payment Card Industry standards require that TLS 1.0 be disabled by June 30. The Payment Card Industry Security Standards Council has a blog post that explains what it is and why they are disabling it.
- The National Institute of Standards and Technology (NIST) has directed that government agencies and organizations, including colleges and university, accepting funds from the federal government must protect citizen's data and said TLS 1.0 does not meet their requirements.
What impact could this cause?
- Support for older web browsers and operating systems that cannot support higher TLS versions will end. This may cause issues for users with very old systems who will no longer be able to access our sites. However, many other services we use from Box, Google, and others already will not allow connections from these older systems so this should not be anything new.
- Vendor and department run servers you work with may quit talking to UIS servers if they have not upgraded to more secure methods. Communications between servers for email, single sign-on, web interfaces, and other transactions that cannot support TLS 1.1 or higher will fail.
How can I tell if my computer or server is using TLS 1.0?
- You can see if your browser supports TLS 1.1 or 1.2 at the Qualys SSL Labs Site:
- If your server is accessible to the Internet, you can use the Qualys SSL Server Test to see if TLS 1.0 is still enabled and if newer versions are supported.
- You can view instructions on how to enable TLS 1.1 and 1.2 on different web browsers at a site hosted by GeoTrust.
- If your server is not accessible to the Internet, you may submit your server host name and IP address to email@example.com and request that UIS test the server with internal tools. We will provide a report back for you to address the known vulnerabilities.
- Contact your vendors and ask for certification that they will be compliant by June 30th, 2018. In communicating with your vendor, ask the vendor representative if their servers have TLS 1.0 disabled and if they support TLS 1.2 or higher.
What if my server or application cannot be upgraded or patched before June 30th, 2018?
- Systems that cannot support higher level TLS versions by June 30th will be blocked from communicating with UIS run systems over TLS 1.0 which may break some or all of your services.
- Internet access to unpatched servers on the campus network will be removed.
- Please review the Department Server Policy to see what is expected of departments running their own servers:
If extenuating circumstances prevent a critical campus system from being patched in time for the June 30 deadline, please submit a ticket request to firstname.lastname@example.org to explain the system and your department's complete plan for addressing the issue for UIS review. In limited cases where university systems would not be placed out of regulatory compliance, UIS may assist departments with short term solutions.