Support Ending for TLS v1.0 RC4 Cipher and SSL v3.0

The Constant Contact API will no longer support RC4 cipher suite in TLS v1.0 and SSL v3.0 when establishing secure connections.

What they are

  • Transaction Layer Security (TLS) protocol v1.0 RC4 cipher suite – original release of the successor to SSL v3.0, detailed in RFC 2246.
  • Secure Socket Layer (SSL) v3.0 is a protocol used to authenticate and encrypt communications between clients and servers over TCP/IP networks. SSL 3.0 was widely adopted across the internet, and was replaced by the more secure TLS v1.0 in 1999.

How they’re used

When a client attempts to connect to our API systems (server), the SSL v3.0 or the TLS v1.0 protocol, along with others, can be used to authenticate and encrypt the connection.

Why are we talking about them?

  • A security vulnerability recently identified in the design of SSL v3.0 allows the plaintext of secure connections to be calculated by a network attacker. Read CVE-2014-3566 for more details.
  • The RC4 cipher suite

What we’re doing

  • Disabling SSL 3.0 support, or CBC-mode ciphers with SSL 3.0
  • Disabling support for the RC4 cipher suite used in TLS v1.0

When we’re doing it

At 11:59 pm ET, Friday November 21, 2014

What is the impact?

All clients requesting connections with our API system will need to use the TLS v1.0 with the AES 128 or 256 bit cipher suite enabled, or use TLS v1.1 or 1.2 protocol. Clients using SSL v3.0 or TLS v1.0 with the RC4 cipher suite will not be able to connect to our API servers.

What you will see:         

Failed connection attempts when trying to connect to our API system. When troubleshooting the connection, you will see either of these conditions, depending on your client setting:

  • SSL v3.0 handshake failure
  • TLS v1.0 handshake failure message.

Who is impacted?

Any client system that currently uses either SSL v3.0 or TLS v1.0 to secure HTTPS connections with our API servers will be impacted.

Solutions/Workarounds

  1. Disable SSL v3.0 and the RC4 cipher suite in TLS v1.0 on your client.
  2. Enable the AES 128 and 256 bit cipher suites for TLS v1.0.

You may need to upgrade or patch your operating system to install and use the AES 128 and 256 bit cipher suites for TLS v1.0, or TLS v.1.1 or 1.2 to secure HTTPS.

For systems running Windows Server 2003, see Microsoft Security Advisory 3009008 for instructions on installing the necessary patches.

For systems running Windows XP, there is no upgrade or security patch available to resolve the issue. These systems will require a migration to a different OS in order to comply.

Also, consider enabling TLS v1.1 and 1.2 on your client.

Resources

Leave a Comment