Transport Layer Security (TLS) 1.0 and 1.1 will no longer be supported by nShift products by October 10th, 2023. The change will occur gradually, starting mid-September, per product, according to the schedule below. Please try to make the necessary checks and eventual updates in due time, so that you can avoid unnecessary downtimes.
Sections in this article:
- What is Transport Layer Security (TLS)?
- Why are we doing this?
- What are the general requirements for supporting TLS 1.2 for web applications?
- How can we check if TLS 1.2 is working?
- Ship On-premises (Consignor) TLS requirements
- What if a custom client is used to call nShift web services?
- Product update schedule
What is Transport Layer Security (TLS)?
Transport Layer Security (TLS) is a cryptographic protocol that secures internet communications. Your client software can be set up to use TLS version 1.0, 1.1, 1.2, or 1.3, or a subset of these when connecting to service endpoints. You should ensure that your client software supports TLS 1.2 or later.
Why are we doing this?
TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms, and they contain security vulnerabilities that may be exploited by attackers. In addition, most of the encrypted Internet traffic is now over TLS 1.2, which was introduced in 2008. nShift already supports TLS 1.2 on all products so the change should not cause problems for our customers, except for some edge cases that can be managed in time.
It is crucial to understand that both protocols are now deprecated, with TLS 1.0 being introduced in 1999, while TLS 1.1 was released in 2006, long before attackers had the computational resources they have today to orchestrate advanced heavy-duty cryptographic attacks.
The large number of attacks that were revealed in previous years took advantage of the weak cryptographic algorithms at the base of the two protocols, compromising even encrypted communications. The recommended mitigation to address these vulnerabilities is to use newer versions of TLS, that support more powerful cryptographic algorithms, resistant to attacks.
What are the general requirements for supporting TLS 1.2 for web applications?
There are two major requirements for supporting TLS 1.2 for web applications, operating system requirement and browser support. No changes are required on the customer side if:
- Microsoft Windows 8.1 or later version is installed;
- A modern web browser with the latest updates (Internet Explorer 11, Google Chrome, Microsoft Edge, Mozilla Firefox, etc.) is used.
Extended details about the operating system, browser support, and platform requirements are listed here. Please check if you already support TLS 1.2 on your system and if not, try to make the necessary updates in due time.
For on-premises applications like Ship On-premises, there are some extra requirements, described below.
Ship On-premises (Consignor) TLS requirements
- .NET Framework 4.6.2 or later, version 4.7 is preferable (we already require version 6 for Ship On-premises);
- SQL Server 2016 or newer is recommended (we already require version 2019 for Ship On-premises)
- For Ship On-premises versions lower than 16.128.x.x HTTPS support needs to be enabled using this option: Tools > Options > General tab > ‘HTTP Secure’ option. (Ship On-premises versions 9.20.x.x must update).
For instructions on how to check the installed .NET Framework version, see the article below:
For earlier SQL versions, please check the needed manual changes (which can apply only to certain versions) in the article below:
How can we check if TLS 1.2 is working?
nShift already supports TLS 1.2 on all products, the reason why all customers can check if the protocol is supported on their side, or if further changes are needed. For all web products you need to make sure you’re using a modern browser with support for TLS 1.2 and a recent Windows OS version (8.1 or later). For Ship On-premises, the requirements are listed above.
It is important to understand that you already have control over the TLS version used when connecting. When connecting to nShift endpoints, your client software negotiates its preferred TLS version, and nShift uses the highest mutually agreed upon version.
Read more about how to do a web services client 1.2 TLS test here.
What if a custom client is used to call nShift web services?
In this case, the customers need to check if the platform the client is built on supports TLS 1.2. For instance, if the client is developed in Java, then Java 1.8 is the minimum requirement. For COTS products in most cases, an update to the latest client version will resolve the issue.
Product update schedule
nShift plans to remove the support for TLS 1.0 and 1.1 starting mid-September, per product, according to the following schedule:
|Tuesday, 2023-09-26||Track / Returns|
|Wednesday, 2023-09-27||Scan App|
|Thursday, 2023-09-28||My Parcels|
Note: The web services and integrations linked to each product are included in the above schedule for this TLS 1.0 and 1.1 deprecation.
Please try to make the necessary checks and eventual updates in due time, so that you can avoid unnecessary downtimes.
This article was published in the nShift Help Center on May 24, 2023.