Remove all TLS 1.0 version pins #2774
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Most of these were added years ago as workarounds. They were never revisited to see if gateways had fixed their SSL setup. TLS 1.0 is old with known vulnerabilities that require server mitigations to be properly configured. Version 1.2 was released in 2008 and is considered secure with most cipher configurations. The PCI DSS v3.2 disallows TLS 1.0 unless existing implementations have applied for an exception. However, this exception is not valid after June 30, 2018. I have verified (with `curl -v`) that all live and test URLs of the affected gateways support TLS 1.2.
jasonwebster
approved these changes
Mar 5, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Most of these were added years ago as workarounds. They were never revisited to see if gateways had fixed their SSL setup. By removing the pinned version requirement, the highest supported version will be negotiated between the client and the server.
TLS 1.0 is old with known vulnerabilities that require server mitigations to be properly configured. Version 1.2 was released in 2008 and is considered secure with most cipher configurations.
The PCI DSS v3.1 (released March 2015) disallows TLS 1.0 unless existing implementations have applied for an exception. However, this exception is not valid after June 30, 2018. I have verified (with
curl -v) that all live and test URLs of the affected gateways support TLS 1.2.