Update – July 4th, 2022
For the Canadian platform only.
We’ve confirmed that all necessary updates have been deployed by our clients that were affected by this issue. Therefore, TLS 1.0 and 1.1 support will end on Wednesday, July 6th, 2022, at 8 AM (eastern daylight saving time).
Should a problem during deployment force us to rollback the change, the final migration is planned for Wednesday, July 6th, 2022, at 8 AM. After this date, no further rollbacks will happen.
----------------------------------------------------------------------------------------
Update – October 18, 2021
For the Canadian platform only, this update is delayed until further notice, to allow a few clients time to deploy corrective updates. A new date will be announced here in in the next few days. Update of the platform in France will take place on October 19 as initially announced.
----------------------------------------------------------------------------------------
In accordance with security best practice, we will be retiring support for the TSL 1.0 and 1.1 security protocols in the Dialog Insight platform as well as various weak Cipher Suites. Because most of software and operating systems released in the last 10 years are compatible with TLS 1.2 (including all currently supported Web browsers), most customers will be unaffected by this change.
There is however an incompatibility risk for older non-browser software used for API integrations or applications running on older out-of-support operating systems.
What is changing, and why now?
Transport Layer Security (TLS) is the successor of the older SSL protocol. It is the cryptographic protocol that secures communication when your browser or applications connect to the Dialog Insight platform. TLS has had many versions over the years to strengthen security as flaws are discovered in the protocol. Just like SSL versions 1.0, 2.0 and 3.0, TLS versions 1.0 and 1.1 are now considered insecure and should be disabled. We've kept compatibility with other versions for much longer than most, and now the time has come to remove the insecure versions.
How to know if you are affected
If you only use modern Web browsers to connect to Dialog Insight and do not use any API integrations, you will not be affected.
If you use our Web Services, your team should confirm that your systems and software are up-to-date and compatible with TLS 1.2. You might be affected if you use applications that do not receive regular updates, or older operating system / libraries. Some examples:
Upgrades needed
- Windows Server 2008 R2 or earlier
- .Net 3.5 or below
- OpenSSL 1.0.0 or below
- Java 6
Configuration changes needed
- Windows Server 2012
- .Net 4.0 and 4.5
- Java 7
Getting a bit more technical, our new security configuration will support the following TLS protocol versions and Ciper Suites:
TLS 1.3
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
TLS 1.2
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Testing your TLS 1.2 compatibility
We have added temporary URLs * that you can use to connect to your account, which uses the new TLS configuration we will deploy on Oct. 19:
- In Canada: https://tlstest.dialoginsight.dev
- In France: https://tlstest-fr.dialoginsight.dev
You can test your applications against our new TLS configuration simply by sending some test calls from your application to the same URLs as before but using the test domains above. For instance, a call to the Contact.Merge API method that uses this URL:
https://app.dialoginsight.com/webservices/ofc4/contacts.ashx?method=Merge
Can be tested by simply replacing the domain name in the URL:
https://tlstest.dialoginsight.dev/webservices/ofc4/contacts.ashx?method=Merge
If the calls succeed, then your application is ready for the change.
* As stated, these are temporary test domains. Use them to test your environments but do not transfer production workloads to these domains since they will only be online for a few weeks and their availability and configuration is subject to change without notice.
What you need to do if you are affected
You need to update your software and systems to compatible versions before Oct. 19.
If you are unable to do so by that date, you can also consider the option of implementing an outbound proxy server. An outbound proxy server is a server application that acts as an intermediary between your applications and the servers you need to connect to, which can manage the TLS 1.2 aspect of the connection on behalf of your application. The specifics of implementing a proxy server depends on your network configuration and Dialog Insight cannot make recommendations or assist in this process, but your team might consider this approach to be appropriate for your situation.