OneSpan Sign and TLS Communication: What's The Latest?
In the latest release of OneSpan Sign (11.8), preparations have been made to disable Transport Layer Security (TLS) 1.0 across all production environments. Note that support for TLS 1.0 has already been disabled on our sandbox environments. In this blog, I will go over a brief explanation of what TLS communication and the changes are, as well as what you should do next.
What Is TLS?
In short, Transport Layer Security (TLS) is a protocol that provides security for communication over the Internet. TLS encrypts segments of network connections, in order to provide confidentiality when communicating via the Internet. Through encryption and endpoint-identity verification, TLS ensures that a connection to a remote endpoint is indeed the intended endpoint. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL). The versions of TLS, to date, are TLS 1.0, 1.1 and 1.2.
What Is The Change?
As of today, OneSpan Sign requires an upgrade to TLS 1.1 or higher for our sandbox environments. Hence, if you are still on TLS 1.0, you will be prevented from accessing OneSpan Sign. In other words, with TLS 1.0 disabled, any inbound connections to or outbound connections from your system that rely on TLS 1.0 will fail. Note that this change is also expected to be applied on our production environments on March 10, 2018.
What Should You Do?
Java If your application runs on Java 1.7 or Java 1.6 (update 111 or later), you can set the
https.protocols system property when starting the JVM to enable additional protocols for connections made using the
HttpsURLConnection class – for example, by setting
-Dhttps.protocols=TLSv1.1,TLSv1.2. TLS 1.1 and 1.2 are not supported prior to update 111 on Java 1.6. Therefore, you will need to update the version of Java your application runs on. If your application runs on Java 1.8, then you don't need to do anything as TLS 1.2 is enabled by default. .NET If your application is in the .NET framework, here's what you'll need to do depending on your framework:
- .NET 4.6 and above: You don’t need to do any additional work as TLS 1.2 is the default protocol.
- .NET 4.5: TLS 1.1 and 1.2 are supported, but they are not the default protocols. You need to opt-in to use it. The following code will make TLS 1.1 or 1.2 default. Make sure to execute it before making your connection to OneSpan Sign:
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11 //TLS 1.1 ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 //TLS 1.2
- .NET 4.0: TLS 1.1 and 1.2 are not supported, but if you have .NET 4.5 (or above) installed on your system then you still can opt in for TLS 1.1 or 1.2 even if your application framework doesn’t support it. Though, you'll need to use a numerical representation of this enum value:
ServicePointManager.SecurityProtocol = (SecurityProtocolType)768; //TLS 1.1 ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072; //TLS 1.2
- .NET 3.5 or below: Previously, these versions did not provide support for applications to use Transport Layer Security (TLS) System Default Versions as a cryptographic protocol. However, now you can download an update to enable the use of TLS 1.2 in the .NET Framework 3.5.
If you have questions regarding this blog or anything else concerning integrating OneSpan Sign into your application, visit the Developer Community Forums: developer.esignlive.com. That's it from me. Thank you for reading! If you found this post helpful, please share it on Facebook, Twitter, or LinkedIn.