0

So i think i know the answer to this but wanted to check.

If i allow customers/supplier to send orders via a Webservice and/or http post and my server is running TLS 1.0 and i upgrade to TLS 1.1/1.2 and the customers/suppliers are still using TLS 1.0 i presume that this interface will stop working and therefore my customers need to upgrade to TLS 1.1 or 1.2 at least as well to continue working?

Does anyone know if there is a matrix that shows compatibility between different versions so I can work out in what scenarios it will work?

Thanks in advance?

regards

Mark

Rusty
  • 113
  • 1
  • 7
  • 1
    There be dragons here due to the large number of vulnerabilities which exist with TLS. [Here](https://www.acunetix.com/blog/articles/tls-security-what-is-tls-ssl-part-1/) is a 5 part article on TLS. – bated Sep 21 '17 at 15:34
  • If your clients are only _capable_ of 1.0 and you change the server to 1.1/1.2-only, yes their connections will fail. If clients are simply _getting_ 1.0 because that's what you negotiate, quite possibly they also support 1.1 or 1.2 or even 1.3-draft. [Wikipedia](https://en.wikipedia.org/wiki/Transport_Layer_Security) has a chart of which protocol versions and other features are supported by which implementations, but most implementations can be configured to restrict what they actually _use_ to less than what they _support_. Or you could inspect/log received ClientHello's. – dave_thompson_085 Sep 22 '17 at 01:55

1 Answers1

2

Expose a new TLS 1.2-only endpoint (on a different subdomain) so your customers can migrate at their own pace. Inform them you'll be retiring the old endpoint soon and they need to address their crypto where necessary. When the deadline comes, CNAME your old endpoint to your new one.

This is a controversial approach, but it is also production, in real life, so you just gotta do what you gotta do.

evilSnobu
  • 24,582
  • 8
  • 41
  • 71