TLSv1.2, or greater, is required
In a constant effort to make our web services more secure, NYU IT will be disabling support for Transport Layer Security (TLS) v1 and v1.1, effective September 20, 2019. These versions lack support for current and recommended cipher suites, and various government and industry profiles of applications using TLS now mandate avoiding these old TLS versions. TLSv1.2, or greater, has been the recommended version for Internet Engineering Task Force (IETF) protocols since 2008, providing sufficient time to transition away from older versions.
What may affect you
Most of you won't be affected by this change. We’ve started to contact some teams and users directly, based on what we find in our logs. However, we recommend that you check to make sure that everything you use to connect to the following domains support TSLv1.2. This includes (but is not limited to) your browser, server systems, API clients, and anything else that may be linked to NYU sites.
As a precaution please review the following list of items that may or may not affect you:
- Browser connections are probably unaffected, unless you use a very old browser. Wikipedia has a chart detailing TLS support in web browsers, and you should be able to check your browser’s version there. Some browsers also make connection details visible in the developer tools or by clicking the padlock icon in the address bar.
- Java-based systems may be affected; you will need to check the underlying version of Java. JDK 8 is unaffected; JDK 7 versions 1.7.0_131-b31 and later are unaffected; JDK 7 versions earlier than 1.7.0_131-b31 are affected; and JDK 6 and older are affected.
- Python-based systems may be affected; if you don’t have Python 2.7.9 or higher and OpenSSL 1.0.1 or higher you will need to upgrade your Python environment. The change to the SSL module was only back ported to 2.7.9.
- Verify that PHP and libcurl versions are up to date and support TLS 1.2. Also, please ensure you have not configured your code to force TLS 1.0 or 1.1. The libcurl constant is set, you will want to remove it; for reference it looks like this:
- Command line tools on UNIX-based systems (including macOS, Linux, and all BSDs) may be affected.
- If you have an API client, then please check the libraries your client use support TLSv1.2 at a minimum.
Impacted DNS names
The exact details of your upgrade will depend on what you use and how it’s installed. We’ll remind everyone as September 20 approaches, but if you discover that you are affected, then you need to start planning now.
If you believe that your runtime or your machine is preventing the negotiation from going above 1.0, you can write a script to call the URL https://www.howsmyssl.com/a/ check which returns some JSON information about the connection. It then prints out the TLS version that was used. These scripts are all set to allow the negotiation process to choose the best options (TLS1.2), if you are not seeing 1.2 then some language or machine dependency does not support a modern enough version.
Webmasters are strongly urged to upgrade to TLSv1.2, or greater, before September 20, 2019.