Follow

Deprecating TLS 1.0 and TLS 1.1

PPO users use HTTPS to connect to their instances of PPO, i.e. https://www.ppolive.com/acme/login.aspx and Transport Layer Security (TLS) is used to encrypt these connections. Most modern browsers use TLS 1.2 which is considered secure. Very old browsers may however still use TLS 1.0 or TLS 1.1 which are no longer considered to be secure.

Support for TLS versions 1.0 and 1.1 is being deprecated (i.e. we will no longer allow traffic for these protocols) and will be discontinued as of 31 July 2018. As a result, users attempting to connect to PPO using unsupported browser versions will be unable to do so.

To continue to use PPO, you will need to upgrade to a more modern browser which supports TLS 1.2.

For applications integrating with PPO, all API connections will also require TLS 1.2.

What is TLS?

Transport Layer Security (TLS) is a cryptographic technology protocol used to provide communications security over computer networks. There are currently three versions of the TLS protocol in use: TLS1.0, 1.1 and 1.2. TLS1.2 is the latest version and by far the most secure of the three versions.

Why are we deprecating TLS1.0 & 1.1?

The continued support of TLS1.0 (& TLS1.1) poses a security risk. This is because the browsers may be vulnerable to downgrade attacks (which force users onto weaker versions of TLS to exploit known vulnerabilities).

TLS1.0 was released in 1999, making it a nearly two-decade-old protocol. For several years now it has been known to be vulnerable to attacks such as BEAST and POODLE (although these have been mitigated in other ways), in addition to using weak cryptography algorithms. This implies that TLS1.0 does not keep the connection sufficiently secure.

In 2006 TLS1.1 was launched in order protect against vulnerabilities seen in version 1.0, however, it was leapfrogged by TLS1.2 which was released two years later in 2008 and it’s rare to see TLS1.1 used.

How widely used are older versions of TLS in PPO?

About 97% of the traffic to PPO uses TLS1.2, and 3% uses TLS1.0. TLS1.1 only accounts for 0.005% of the traffic.

What do I need to do?

To continue to use PPO, you will need a modern browser, such as Internet Explorer 11, Edge 12+, Mozilla Firefox 27+, Google Chrome 30+ or Apple Safari 7+. If you are not using one of these browser versions or newer, you will need to update to at least one of these versions.

The Microsoft Project add-in for PPO has been updated to support TLS1.2. Please download the latest version from our support portal here.

For applications integrating with PPO, all API connections will require TLS 1.2. For .NET use version 4.5+ and for Java use version 7u25+.

 

Actions required for integrating using .NET

.NET Version Compatibility Notes
.NET 3.5 and below Not compatible with TLS 1.1 or higher encryption
.NET 4.0

.NET 4.0 does not enable TLS 1.2 by default. To enable TLS 1.2 by default, it is possible to install .NET Framework 4.5, or a newer version, and set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist:

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319".

Those registry keys, however, may enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. We recommend testing this change before deploying it to your production servers. This is also available as a registry import file.

These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value.

.NET 4.5 to 4.5.2

.NET 4.5, 4.5.1, and 4.5.2 do not enable TLS 1.1 and TLS 1.2 by default. Two options exist to enable these, as described below.

Option 1:
.NET applications may directly enable TLS 1.1 and TLS 1.2 in their software code by setting System.Net.ServicePointManager.SecurityProtocol to enable SecurityProtocolType.Tls12 and SecurityProtocolType.Tls11. The following C# code is an example:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

Option 2:
It may be possible to enable TLS 1.2 by default without modifying the source code by setting the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist:

"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319".

Although the version number in those registry keys is 4.0.30319, the .NET 4.5, 4.5.1, and 4.5.2 frameworks also use these values. Those registry keys, however, will enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. It is thus advisable to test this change before deploying it to your production servers. This is also available as a registry import file.

These registry values, however, will not affect .NET applications that set the System.Net.ServicePointManager.SecurityProtocol value.

.NET 4.6 and higher

Compatible with TLS 1.1 or higher by default

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Please sign in to leave a comment.
Start a 30 Day Free TrialClick ClickNo Credit Card and No Obligation
Powered by Zendesk