- 4 New Ways We’re Changing the Way You Do Car Shopping
- A New Way to Book Lodging Made Easier
- Content Services for Lodging Migration Guide
- Content Services for Lodging Deep Dive Part 3: Checking Prices
- Content Services for Lodging Deep Dive Part 2: Getting Details
- Content Services for Lodging Deep Dive Part 1: Getting Availability
- Looking at Lodging APIs Part 2: What You Can Do with Them and Looking Forward
- Looking at Lodging APIs Part 1: Why We Built Them and How You Might See Them
- 6 Powerful Ways Content Services for Lodging Will Change How You Access Hotels Today
- October 2019
- September 2019
- July 2019
- June 2019
- May 2019
- March 2019
- December 2018
- November 2018
- October 2018
- September 2018
- August 2018
- July 2018
- June 2018
- May 2018
- March 2018
- January 2018
- November 2017
- October 2017
- August 2017
- July 2017
- June 2017
- May 2017
- March 2017
- January 2017
- December 2016
- November 2016
- September 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- December 2015
- October 2015
- September 2015
- August 2015
- July 2015
- June 2015
- May 2015
- April 2015
- March 2015
- February 2015
Share this page
by Adam Tworkiewicz
In October of last year, industry Security researchers identified vulnerability in the Secure Sockets Layer 3.0 (SSLv3.0) encryption protocol.
In response, the Payment Card Industry (“PCI”) Council, as well as Visa and MasterCard, have issued a mandate that all merchants and service providers configure their systems in a manner to ensure secure connections between relevant systems by June 2016.
In support of this PCI mandate, Sabre is requesting customers to take action by December 31, 2015 to avoid potential disruptions that may disable the ability of client applications to connect to the Sabre APIs using encryption protocol SSLv3.0, and all versions of Transport Layer Security (TLS) prior to version 1.2.
In the future, Sabre will no longer support communication with Ciphers using keys with less than 128 bits.
From the PCI Security Standards Council:
“Due to the nature of web-based environments, e-commerce implementations have the highest susceptibility and are therefore at immediate risk from the known vulnerabilities in SSL/early TLS.”
Customers using the public Internet to consume Sabre APIs fit that description, so the update to TLSv1.2 is imperative.
This is a security requirement regardless if the data being accessed is PCI related or not. As this is an industry-wide initiative, customer IT organizations should be determining what actions are required to comply.
Sabre APIs (SOAP and REST APIs)
No new versions of Sabre APIs are required to comply with this mandate, but developers should review their configurations to ensure all systems are using the correct protocols.
The table below identifies the recommended Encryption protocols and Ciphers that should be utilized. Once the changes are implemented, any communication that cannot negotiate to TLSv1.2 or is using an unsupported Cipher will be rejected.
|Unsupported Encryption Protocols||Supported Encryption Protocols|
|Secure Sockets Layer (SSL) versions 1.0, 2.0, and 3.0||TLSv1.2 and higher|
|TLSv1.0 and TLSv1.1|
|Unsupported Ciphers||Supported Ciphers|
|MD5, RC4, DES, EXPORT, aNULL and eNULL||Strong ciphers with key lengths >= 128 bits must be used|
The following URLs can be used to test connection with your client application, prior to applying the required changes to comply with this mandate:
https://sws-tls.cert.sabre.com/ (SOAP APIs)
https://api-tls.cert.sabre.com/ (REST APIs)
NOTE: the test URLs above are provided for testing purposes of TLSv1.2 compliance.
The actions required to be taken by customers will vary depending on the configuration used to connect to Sabre APIs, mainly based on client libraries/frameworks used and programming language.
As a starter, a simple test – from the customer application – against the endpoints provided above (depending on use of SOAP and/or REST APIs) should tell if the current configuration is compliant with TLSv1.2.
Here are some examples of exceptions/errors received when connection cannot be established using TLSv1.2:
- .NET: “The request was aborted: Could not create SSL/TLS secure channel”
- Java: “net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure”
With that – and since each customer configuration can be unique – a review done by customers IT department/development team is encouraged to ensure the necessary actions have been taken.
Finally, if you have any concerns about making the necessary changes by the December 31, 2015, please contact your Sabre Account Director.