On 26th of June 2018 at 10:00 BST, Nexmo will disable support of legacy TLSv1 and TLSv1.1 protocols. Vulnerabilities within these TLS versions are serious and, left unaddressed, put organizations at risk of being breached. The only supported encryption protocol for HTTPS connections will be TLSv1.2. All API requests and all web requests to the Nexmo Dashboard using legacy TLS protocols will be rejected.
We will disable legacy TLS protocols in two stages:
- June 26, 10:00 BST: Disable TLSv1 and TLSv1.1 for one hour (to facilitate detection of legacy API clients).
- July 10, 10:00 BST: Permanently disable legacy TLSv1 and TLSv1.1.
After the initial one-hour shutdown on June 26, we will temporarily restore support for TLSv1 and TLSv1.1 for a period of two weeks in order to mitigate adverse impact to your business and assist with your transition.
Verifying TLSv1.2 Support
Nexmo rejects plain HTTP requests, but for HTTPS connections we currently accept all TLS versions. Deprecation of TLSv1 and TLSv1.1 will affect only a small proportion of traffic (94% are already TLSv1.2), and many clients will automatically switch to using TLSv1.2. In order to see if your system supports TLSv1.2, please refer to the guide below.
To check if your web browser supports TLSv1.2 for communication with the Nexmo Dashboard, you can use these online tools:
Updating to the most recent browser version will generally solve any problems.
There is a variety of available client software and underlying platforms. If your production system communicates with Nexmo using TLSv1 or TLSv1.1, you need to check one of the following components:
- the operating system
- encryption libraries
- the runtime environment
- the SDK
Generally, all modern operating systems and runtime environments support TLSv1.2, but some use legacy versions by default (e.g. JDK 7). To make sure that your system will automatically switch to TLSV1.2 when legacy TLS versions are disabled by Nexmo, please make a GET/POST request to https://api.nexmo.com/tlsverification.
This verification endpoint accepts only TLSv1.2 connections, responding with 200 OK, and rejects legacy TLS connections with 400 Bad Request.
All current Nexmo SDKs and libraries support TLSv1.2:
- nexmo-java: SDK versions above 3.0 use TLSv1.2 by default. However, you are required to use Java 7 and above. Generally, Java 8 is preferred because it defaults to using TLSv1.2.
- nexmo-ruby: Ruby 2.0.0 or later and OpenSSL 1.0.1c or later are required.Run the following command with the executable you are using to run your application:
1ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'
OpenSSL 1.0.1c and above support TLSv1.2. If your OpenSSL version is below 1.0.1c, we recommend that you upgrade to the latest OpenSSL, and upgrade to a recent release of Ruby.
- nexmo-dotnet: Ensure your system runs .NET framework 4.5 or above.
- nexmo-python: Run the following command with the python executable you are using to run your application:
1python -c "from __future__ import print_function; import ssl; print(ssl.OPENSSL_VERSION)"
OpenSSL 1.0.1c and above support TLSv1.2. If your OpenSSL version is below 1.0.1c, we recommend that you upgrade to the latest OpenSSL, and upgrade to the latest release of Python 2.7 or 3.4+.
- nexmo-php: Run the following command with the PHP executable you are using to run your application:
1php -r "echo OPENSSL_VERSION_TEXT;"
OpenSSL 1.0.1c and above support TLSv1.2. If your OpenSSL version is below 1.0.1c, we recommend that you upgrade to the latest OpenSSL and a more recent release of PHP.
- nexmo-node & nexmo-CLI: Run the following command with the node executable you are using to run your application:
1node -p process.versions.openssl
OpenSSL 1.0.1c and above support TLSv1.2. If your OpenSSL version is below 1.0.1c, we recommend that you upgrade to the latest OpenSSL and to the most recent release of Node (at least 4.9.0 or greater).
If you need assistance with technical issues please contact us at email@example.com.