Web Sign On Sunsetting TLSv1.0 over web sign-on and other Warwick websites

2 posts 1 follower RSS feed

1. Mathew Mannion

   #1 10:07, Wed 22 Feb 2017 (edited 10:08, Wed 22 Feb 2017)

   From July 2017, we will disable the TLS 1.0 encryption protocol across the University's web services. Disabling TLS 1.0 prevents it from being used to access Warwick websites via an insecure web browser or application. If your application connects to websignon.warwick.ac.uk or webgroups.warwick.ac.uk, you must ensure that the library you are using supports TLSv1.1 or TLSv1.2 for connections, or they will fail. You can try pointing your application at webgroups-dev.warwick.ac.uk now, where TLSv1.0 is already disabled.

   When will this happen?

   • Monday 3 July 2017 - We will disable TLSv1.0 connections to our transaction tracking system, onlinepayment.warwick.ac.uk
   • Tuesday 1 August 2017 - We will disable TLSv1.0 connections to Single Sign-on and our identity provider. It will no longer be possible to sign in to web services using a browser that only supports TLSv1.0.
   • Monday 8 January 2018 - IT Services will disable TLSv1.0 connections to all other web services.

   Although TLS 1.0, when configured properly, has no known security vulnerabilities, newer protocols are designed better to address the potential for new vulnerabilities. In order to remain PCI compliant for taking online payments, web applications that process or redirect to payment sites must have a plan to disable TLSv1.0 before June 2018.

   This will refuse access to any user on a browser that doesn't have the more modern TLS 1.1 or TLS 1.2 protocols available or enabled:

   • Internet Explorer 8 (disabled by default; can be turned on via a settings change)
   • Internet Explorer 9 (disabled by default; can be turned on via a settings change)
   • Internet Explorer 10 (disabled by default; can be turned on via a settings change)
   • Android browser on any version of Android before 5.0 (available but disabled in Android 4.1–4.3.1, 4.4–4.4.4)
   • Firefox prior to version 27
   • Google Chrome prior to version 22
   • Opera prior to version 12.18
   • Safari prior to version 9 (i.e. in OS X 10.8 and before)

   Users in a browser that doesn't support TLS 1.1 or 1.2, for whatever reason, will not be able to connect to any HTTPS web pages. Applications connecting to web sign-on or WebGroups will not be able to connect to the application if the language doesn't support it (e.g. Java prior to Java 1.8).

   More information is available on our technical FAQ about disabling TLSv1.0
   

   0 likes
    
2. Mathew Mannion

   #2 10:19, Fri 12 Jan 2018

   We have a new date for the third part of this change ("IT Services will disable TLSv1.0 connections to all other web services.") - this will now happen on Monday 5th March 2018. Amongst other applications, this will include:

   • Sitebuilder (the University website, including warwick.ac.uk)
   • MRM
   • Photos.Warwick
   • WebGroups
   • PeopleSearch
   • Warwick Search

   Any server-to-server operations should be updated to use TLSv1.2 by this time. We will contact anyone who we're aware is currently using TLSv1.0 to inform them of this and advise them on upgrade strategies.

   Following this change, on Monday 25th June 2018 we will update our configuration to not accept TLSv1.0 connections at all, instead of showing a page explaining why the connection hasn't been accepted. This will mean it is no longer feasible on this date to be whitelisted. Again, we will be in touch with affected parties.

   0 likes