TLS 1.0 and 1.1 dismission and impacts on integrations
Starting from 01/01/2022 we will disable the use of TLS 1.0 and TLS 1.1 for direct connections to the platform domains, allowing access only with TLS 1.2 or higher version protocols.
In order not to have discontinuity of operation, it is necessary to make sure that by that date the applications that integrate with the platform are updated to support TLS 1.2 or higher.
Why?
Versions 1.0 and 1.1 of the TLS cryptographic protocol have been deprecated and deprecated by the Internet Engineering Task Force (RFC 8996) which, in the face of known cybersecurity vulnerabilities, recommends their abandonment in favor of version 1.2 or higher.
In order to maximize the level of protection, the platform also adapts to what all the major software producers did in 2020 and proceeds with the inhibition of the use of obsolete protocols for the negotiation of cryptography.
Who is impacted by this change?
No impact for those who access the platform through the login page on any web browser. In this case, access via TLS <1.2 has not been possible for months.
The impact of the disabling concerns any software applications (hereinafter "client") configured or developed by customers for the purpose of integration with the platform and which use TLS 1.0 or TLS 1.1. These applications include those that correspond to both these conditions:
- call public pages (e.g. registration form in HTTP GET / POST) and marked by the URL <host account> / frontend / <PageName.aspx> or the API (REST or SOAP *)
- they use older technologies that do not have native support for TLS 1.2 or higher, such as .Net framework versions lower than 4.7 or JDK lower than version 8
Here are some useful references to check and possibly correct the compatibility of the various software:
https://luxsci.com/blog/tls-nist-cipher-email-web-browser-compatibility.html
https://docs.microsoft.com/it-it/dotnet/framework/network-programming/tls#support-for-tls-12
https://blogs.oracle.com/java-platform-group/jdk-8-will-use-tls-12-as-default
https://tecadmin.net/test-tls-version-php/
https://www.php.net/manual/en/migration56.openssl.php
https://pyfound.blogspot.com/2017/01/time-to-upgrade-your-python-tls-v12.html
https://medium.com/@jawadahmadd/enable-only-tls-1-2-in-node-js-118687fb3746
* only for calls to http: // <MAILUP_CONSOLE_URL> /Services/WSMailupImport.asmx, for SOAP calls to the domains wsvc.ss.mailup.it and services.mailupnet.it the deadline is postponed.
Do I need to reconfigure my clients?
No action is required on clients that are already using TLS 1.2 or higher. Otherwise, it is necessary to update them within the indicated times.
How can I check if my client is compatible?
In the case of applications integrated via REST API it is possible to do a test by replacing the domain services.mailup.com with:
REST API: test-services.emailsp.com
SOAP API: test-wscv.ss.mailup.it
Access from the browser is not impacted, it can still be verified through this page.
For all other cases, a check in the code or in the configuration of the application connected to the platform is required.
Can you check my clients?
No, MailUp is unable to verify the individual clients of its customers. To verify your clients please refer to the above.
Can you postpone this operation to give me time to update my systems?
No. The operation of decommissioning obsolete TLS protocols is performed at the infrastructure level, therefore it is not possible to selectively perform it for individual users or domains.