PCI-Mandated Upgrade to TLS v1.2

by Tracy Edes

What you need to know about upgrading from SSL and early TLS encryption protocols

 

Over the past few years, industry Security researchers identified vulnerabilities in the Secure Sockets Layer 3.0 (SSLv3.0), as well as early TLS versions of encryption protocol. In response, the Payment Card Industry (“PCI”) Council, as well as Visa and MasterCard, have issued a mandate that all merchants and service providers configure their systems in a manner to ensure secure connections between relevant system endpoints by June 30, 2018.

In support of this PCI mandate, Sabre will disable the ability to connect to the Sabre APIs using encryption protocol SSLv3.0, and all versions of Transport Layer Security (TLS) before version 1.2.

Why upgrade?

To connect with any Sabre system or access other PCI-compliant systems, the use of TLS 1.2 encryption will be required to conduct business. Upgrading to TLS 1.2 provides the highest level of protection against known vulnerabilities.

The use of TLS 1.2 is a security requirement regardless if the data being accessed is PCI related or not. As this is an industry-wide initiative, customer IT organizations should be determining what actions are required to comply. Customers using the public Internet to consume Sabre APIs fit that description, so the update to TLS 1.2 is imperative.

Resources

“Due to the nature of web-based environments, e-commerce implementations have the highest susceptibility and are therefore at immediate risk from the known vulnerabilities in SSL/early TLS.”

    • For more detailed information regarding Sabre APIs environments and versioning, visit the PCI Mandate page on the Sabre Dev Studio site.
    • Not sure if you’ve completed the required upgrade? Use the following URLs to test the connection with your client application:

https://sws-crt.cert.havail.sabre.com/ (SOAP APIs)
https://api-crt.cert.havail.sabre.com/ (REST APIs)

  • Please see the full details of affected URLs/IPs on our API Versioning page. As of the June 30, 2018 date, Sabre will only support TLS v1.2 (and higher) encryption methods via the latest endpoints posted in our environments page.

Action Required

The actions required will vary depending on the configuration used to connect to Sabre APIs, mainly based on client libraries/frameworks used and programming language.

As a starter, a simple test – from the customer application – against the endpoints provided above (depending on the use of SOAP and or REST APIs) should tell if the current configuration is compliant with TLS 1.2.

Here are some examples of exceptions/errors received when a connection cannot be established:
• .NET: “The request was aborted: Could not create SSL/TLS secure channel.”
• Java: “net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure.”

With that – and since each customer configuration can be unique – a review by customers IT department/development team is encouraged to ensure the necessary actions have been taken.

Finally, if you have any concerns about making the necessary changes by June 30, 2018, please use the Contact Us form.

Leave a Reply

Your email address will not be published. Required fields are marked *