Vulnerabilities within these TLS versions are serious and, left unaddressed, put organizations at risk of being breached.

Nexmo Protects Customers by Ending Support for Legacy TLS Protocols

Published June 13, 2018 by Oleksandr Bodriagov

On the 10th of July 2018 at 10:00 BST, Nexmo will disable support of legacy TLSv1 and TLSv1.1 protocols for one hour (to facilitate detection of legacy API clients) before permanently disabling legacy TLSv1 and TLSv1.1 support on August 7 at 10:00 BST. Vulnerabilities within these TLS versions are serious and, left unaddressed, put organizations at risk of being breached. The only supported encryption protocol for HTTPS connections will be TLSv1.2. All API requests and all web requests to the Nexmo Dashboard using legacy TLS protocols will be rejected.

We will disable legacy TLS protocols in two stages:

  1. July 10, 10:00 BST: Disable TLSv1 and TLSv1.1 for one hour (to facilitate detection of legacy API clients).
  2. August 7, 10:00 BST: Permanently disable legacy TLSv1 and TLSv1.1.

After the initial one-hour shutdown on 10th of July, we will temporarily restore support for TLSv1 and TLSv1.1 for a period of four weeks in order to mitigate adverse impact to your business and assist with your transition.

Verifying TLSv1.2 Support

Nexmo rejects plain HTTP requests, but for HTTPS connections we currently accept all TLS versions. Deprecation of TLSv1 and TLSv1.1 will affect only a small proportion of traffic (94% are already TLSv1.2), and many clients will automatically switch to using TLSv1.2. In order to see if your system supports TLSv1.2, please refer to the guide below.

Web browsers

To check if your web browser supports TLSv1.2 for communication with the Nexmo Dashboard, you can use these online tools:

Updating to the most recent browser version will generally solve any problems.

API clients

There is a variety of available client software and underlying platforms. If your production system communicates with Nexmo using TLSv1 or TLSv1.1, you need to check one of the following components:

  • the operating system
  • encryption libraries
  • the runtime environment
  • the SDK

Generally, all modern operating systems and runtime environments support TLSv1.2, but some use legacy versions by default (e.g. JDK 7). To make sure that your system will automatically switch to TLSV1.2 when legacy TLS versions are disabled by Nexmo, please make a GET/POST request to https://api.nexmo.com/tlsverification.

This verification endpoint accepts only TLSv1.2 connections, responding with 200 OK, and rejects legacy TLS connections with 400 Bad Request.

All current Nexmo SDKs and libraries support TLSv1.2:

  • nexmo-java: SDK versions above 3.0 use TLSv1.2 by default. However, you are required to use Java 7u131 (Update 131) and above. Generally, Java 8 is preferred because it defaults to using TLSv1.2.
  • nexmo-ruby: Ruby 2.0.0 or later and OpenSSL 1.0.1c or later are required.Run the following command with the executable you are using to run your application:

    OpenSSL 1.0.1c and above support TLSv1.2. If your OpenSSL version is below 1.0.1c, we recommend that you upgrade to the latest OpenSSL, and upgrade to a recent release of Ruby.
  • nexmo-dotnet: Ensure your system runs .NET framework 4.5 or above.
  • nexmo-python: Run the following command with the python executable you are using to run your application:

    OpenSSL 1.0.1c and above support TLSv1.2. If your OpenSSL version is below 1.0.1c, we recommend that you upgrade to the latest OpenSSL, and upgrade to the latest release of Python 2.7 or 3.4+.
  • nexmo-php: Run the following command with the PHP executable you are using to run your application:

    OpenSSL 1.0.1c and above support TLSv1.2. If your OpenSSL version is below 1.0.1c, we recommend that you upgrade to the latest OpenSSL and a more recent release of PHP.
  • nexmo-node & nexmo-CLI: Run the following command with the node executable you are using to run your application:

    OpenSSL 1.0.1c and above support TLSv1.2. If your OpenSSL version is below 1.0.1c, we recommend that you upgrade to the latest OpenSSL and to the most recent release of Node (at least 4.9.0 or greater).

If you need assistance with technical issues please contact us at [email protected].

Leave a Reply

Your email address will not be published.