May 10, 2016 update:
The changes that were scheduled on May 1st were initially applied on May 3rd then reversed, as there were still a number of vendor applications who were not properly patched to support the updated security protocols.
We are continuing the changes according to the following schedule, moving the security updates on web hooks and default ordering host on June 1st, to allow more time for updates:
|May 16, 2016||TLS 1.0 disabled for all custom ordering hosts on Avangate and API endpoints (on api.avangate.com)|
|June 1st, 2016||TLS 1.0 disabled for web-hooks and default ordering host (on secure.avangate.com). This includes the Control Panel and myAccount.|
Starting May 1st, Avangate will disable the use of TLS 1.0 encryption protocol for inbound HTTPS connections Tweet . This protocol is no longer considered secure and so Avangate will no longer support it. Data security and keeping your data safe is our highest priority, which is why we adhere to the industry’s best practices and highest security standards for data protection. Disabling the use of the TLS 1.0 protocol is something that is also recommended by the PCI Council (Avangate is a Level 1 PCI-DSS certified entity. In 2015, the PCI Council released a new version of their Data Security Standard stating, among other changes, that SSL and TLS 1.0 can no longer be used after June 30, 2016. While the council later postponed implementation until June 2018, we are instituting it immediately to ensure your security.
After the change, any connections to Avangate systems will need to use the TLS 1.1 or TLS 1.2 encryption protocols, which are already enabled in Avangate. Affected systems are both the browser accessible interfaces like the Ordering Systems and the Avangate Control Panel, as well as the machine accessible ones, like the API endpoints and web-hooks.
Avangate will deploy changes according to the schedule table below:
|March 1st, 2016||Availability of test URLs for verifying compatibility with TLS 1.1 or 1.2API: https://tlstest.api.avangate.com
|May 1st, 2016||TLS 1.0 disabled for web-hooks and default ordering host (on secure.avangate.com). This includes the Control Panel and myAccount.|
|May 15th, 2016||TLS 1.0 disabled for API endpoints (on api.avangate.com)|
|June 1st, 2016||TLS 1.0 disabled for all browser applications (all custom ordering hosts on Avangate)|
Under normal conditions, users should not experience any problems accessing Avangate with a modern browser. Please refer to Wikipedia or other external sources for more information about non-supported browsers. Check your browser compatibility by navigating to this page between March 1st and June 1st 2016.
For applications connecting to Avangate, TLS 1.1 or 1.2 needs to be enabled. Avangate has identified the following main types of applications connecting to Avangate:
- Java 6 (1.6) or a lower version is not compatible with TLS 1.1 or higher
- Java 7 (1.7) has support for TLS 1.1 and TLS 1.2 but this is not enabled by default
- Java 8 (1.8) or a higher version has default support for TLS 1.1 or TLS 1.2
- .NET 3.5 or a lower version is not compatible with TLS 1.1 or higher
- .NET 4.0 has support for TLS 1.2 but this is not enabled by default
- .NET 4.5 or a higher version has default support for TLS 1.1 and TLS 1.2
Applications relying on OpenSSL (PHP, Perl, Python etc)
- OpenSSL v1.01 or newer supports TLS 1.1 and TLS 1.2
Please check with your IT and development team if any action is needed to support TLS 1.1/1.2. Your applications may be unable to connect to Avangate web-hooks or API services after the changes are implemented in production.