End of TLS 1.0 and weak cipher support

DocuSign is ending support for TLS 1.0 and weak cipher suites on June 25, 2018. This date has been set by the PCI Security Standards Council and is an industry requirement to remain PCI compliant.

TLS 1.0 Support for Demo environment will end on May 29th

This earlier date in Demo will help customers plan and test for the production cutoff date of June 25th.

It will provide a period of time for customers to make any necessary updates to integrations before the production environments drop support for TLS 1.0.

End of Support dates:

Environment

TLSv1.0 and weak cipher Deprecation Date

Demo

5/29/18

Production

6/25/18


Table of Contents

Overview


What are TLS and cipher suites?

TLS or Transport Layer Security provides privacy and data integrity by allowing for encrypted communications between two end points. Encryption of these communication channels ensures that unauthorized third parties are unable to see or intercept the data being transmitted. In addition, TLS confirms data that is sent to a remote endpoint reaches the correct destination by verifying the identity of the endpoint. The three versions of TLS in use today are 1.0, 1.1 and 1.2. Under the covers, cipher suites are the encryption algorithms used within TLS to encrypt the data. The stronger the cipher suite, the harder it will be for third parties to breach the communication.

What is changing?

DocuSign will be upgrading services to support only TLS 1.1 or higher starting on May 29, 2018 in DEMO and June 25, 2018 in PRODUCTION. On these dates, DocuSign is disabling TLS 1.0 and weak cipher suites. Any customer continuing to use TLS 1 or weak cipher suites will experience disruptions in service.

Why is this change necessary?

Stopping support for TLS 1.0 and weaker ciphers has been mandated by PCI Security Standards Council and is an industry requirement to remain PCI compliant. In addition, DocuSign is committed to security and a big part of this is deprecating support for technology that put our customers at risk. The advancement in computing power along with cloud computing has made TLS 1.0 and certain ciphers considered weak and breakable.

For more information refer to the PCI council blog post:

https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

For information on DocuSign’s commitment to security refer to our site:

https://www.docusign.com/how-it-works/security

What ciphers are planned to be decommissioned?

In addition to retiring the TLS 1.0 protocol, we will also remove a set of cipher suites which are no longer considered secure. This includes ciphers such as 3DES along with a few others that have an insufficient key length to securely encrypt communications.

The ciphers to be retired include the following:

  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
 

How will I be impacted? 

TLS 1.0 and these weak cipher suites are still being used by a small set of customers to support integrations. These integrations will need to be updated to support TLS 1.1 or above and secure, modern ciphers. Updating is often as easy as recompiling the solution with updated libraries. The PCI Security Standards Council has published detailed guidance for migration from SSL and early TLS here.

After DocuSign disables TLS 1.0, any inbound connections to or outbound connections from DocuSign that have not been migrated from TLS 1.0 will fail.

How to avoid service disruption?

Depends on how customers are accessing DocuSign. The recommendation is for customers to inventory their connection points to DocuSign and ensure they are up to date with support for TLS 1.1 or better and strong cipher suites.

Actions

Internet Browsers

Web browser based interactions with DocuSign will fail if not configured properly. Please refer to the list of supported browsers for connecting to DocuSign. In many cases, simply changing to a modern browser will solve connectivity issues.

How to test your if your browser is compatible

SSL Labs provides a compatibility test that can be used to verify web browsers support TLS 1.1 or later:

https://www.ssllabs.com/ssltest/viewMyClient.html

If the Protocol Support box on the validation site says, “Your user agent has good protocol support.”, no action is required.

Action Required for Browser Compatibility

If the validation indicates that your browser does not support TLS 1.1 or higher, refer to the compatibility matrix below to ensure you are using a supported browser. Any users on a browser that does not support TLS 1.1 or higher will NOT be able to access DocuSign on May 29, 2018 (Demo) and June 25, 2018 (Production). We recommend that you begin planning to support TLS 1.1 and TLS 1.2 as soon as possible to prevent interruption of access to DocuSign.

NOTE: The minimum requirement is to enable TLS 1.1 or TLS 1.2 encryption protocol within your browser security settings. As a best practice we recommend disabling TLS 1.0 altogether to provide a more secure browsing experience. However, having TLS 1.0 alongside 1.1 and 1.2 enabled within the browser will still work.

TLS compatibility overview:

Microsoft Internet Explorer (IE) and Microsoft Edge

Browser Version

TLS Support

Desktop and mobile Internet Explorer 11 (Windows 8 and 10)

Yes - TLS 1.1 or better by default

Internet Explorer 8, 9, and 10

Only on Windows 7 or above. Must be manually enabled.
Microsoft has provided guidance for manually activating here: https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in


Operating systems Windows Vista and earlier cannot be configured to support TLS 1.1 or higher.

Internet Explorer 7 and earlier

No Support

Mobile IE versions 10 and earlier

No Support

Microsoft Edge

Yes - TLS 1.1 or better by default

 

Mozilla Firefox

Browser Version

TLS Support

Firefox 27 and higher

Yes - TLS 1.1 or better by default

Firefox 23 to 26

Supports TLS 1.1 or better if configured. Follow the Firefox instructions here for steps to enable TLS 1.1 or higher.

Firefox 22 and earlier

No Support

 

Google Chrome (desktop and mobile)

Browser Version

TLS Support

Google Chrome 38 and higher

Yes - TLS 1.1 or better by default

Google Chrome 22 to 37

Supports TLS 1.1 or better only on the following operating systems:

Windows XP SP3, Vista, or newer

OS X 10.6 (Snow Leopard) or newer

Android 2.3 (Gingerbread) or newer

Google Chrome 21 and earlier

No Support

Google Android OS 5.0 (Lollipop) and higher

Yes - TLS 1.1 or better by default

Google Android OS 4.4 (KitKat) to 4.4.4

Varies by device

Google Android OS 4.3 (Jelly Bean) and earlier

No Support


Apple Safari (desktop and mobile)

Browser Version

TLS Support

Safari versions 7 and higher for OS X 10.9 (Mavericks) and higher

Yes - TLS 1.1 or better by default

Safari versions 6 and earlier for OS X 10.8 (Mountain Lion) and below

No Support

Mobile Safari versions 5 and higher for iOS 5 and higher

Yes - TLS 1.1 or better by default

Mobile Safari for iOS 4 and below

No Support

API Integrations 

If using integrations to connect to DocuSign via an API or a 3rd party application, then you may need to follow some additional steps. The best way to work through this is to contact the owner of your solution.

If using a 3rd party integration you will want to reach out to the 3rd party to ensure they are using TLS 1.1 or later and strong cipher suites.

If you own an integration with DocuSign via the REST or SOAP API – you must ensure it is negotiating TLS 1.1 or later and strong cipher suites within your code. You may be using a code library to assist with development and API protocol communication.

This SSL Report can help you validate different versions for compatibility with your integration:

https://www.ssllabs.com/ssltest/analyze.html?d=www.docusign.net

Here are some of the clients that DocuSign recommends upgrading from if you currently have one of these in use in your organization:

# Not simulated clients (Protocol mismatch)

Android 2.3.7 No SNI 2

Protocol mismatch (not simulated)

Android 4.0.4

Protocol mismatch (not simulated)

Android 4.1.1

Protocol mismatch (not simulated)

Android 4.2.2

Protocol mismatch (not simulated)

Android 4.3

Protocol mismatch (not simulated)

Baidu Jan 2015

Protocol mismatch (not simulated)

IE 6 / XP No FS 1 No SNI 2

Protocol mismatch (not simulated)

IE 7 / Vista

Protocol mismatch (not simulated)

IE 8 / XP No FS 1 No SNI 2

Protocol mismatch (not simulated)

IE 8-10 / Win 7 R

Protocol mismatch (not simulated)

IE 10 / Win Phone 8.0

Protocol mismatch (not simulated)

Java 6u45 No SNI 2

Protocol mismatch (not simulated)

Java 7u25

Protocol mismatch (not simulated)

OpenSSL 0.9.8y

Protocol mismatch (not simulated)

Safari 5.1.9 / OS X 10.6.8

Protocol mismatch (not simulated)

Safari 6.0.4 / OS X 10.8.4 R

Protocol mismatch (not simulated)

The following web clients versions will support DocuSign after TLS 1.0 has been deprecated:

Android 4.4.2

RSA 2048 (SHA256)

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Android 5.0.0

RSA 2048 (SHA256)

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Android 6.0

RSA 2048 (SHA256)

TLS 1.2 > http/1.1

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Android 7.0

RSA 2048 (SHA256)

TLS 1.2 > http/1.1

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

BingPreview Jan 2015

RSA 2048 (SHA256)

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Chrome 49 / XP SP3

RSA 2048 (SHA256)

TLS 1.2 > http/1.1

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Chrome 57 / Win 7 R

RSA 2048 (SHA256)

TLS 1.2 > http/1.1

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Firefox 31.3.0 ESR / Win 7

RSA 2048 (SHA256)

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Firefox 47 / Win 7 R

RSA 2048 (SHA256)

TLS 1.2 > http/1.1

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Firefox 49 / XP SP3

RSA 2048 (SHA256)

TLS 1.2 > http/1.1

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Firefox 53 / Win 7 R

RSA 2048 (SHA256)

TLS 1.2 > http/1.1

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Googlebot Feb 2018

RSA 2048 (SHA256)

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

IE 11 / Win 7 R

RSA 2048 (SHA256)

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1 FS

IE 11 / Win 8.1 R

RSA 2048 (SHA256)

TLS 1.2 > http/1.1

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1 FS

IE 11 / Win Phone 8.1 R

RSA 2048 (SHA256)

TLS 1.2 > http/1.1

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1 FS

IE 11 / Win Phone 8.1 Update R

RSA 2048 (SHA256)

TLS 1.2 > http/1.1

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1 FS

IE 11 / Win 10 R

RSA 2048 (SHA256)

TLS 1.2 > http/1.1

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Edge 15 / Win 10 R

RSA 2048 (SHA256)

TLS 1.2 > http/1.1

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Edge 13 / Win Phone 10 R

RSA 2048 (SHA256)

TLS 1.2 > http/1.1

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Java 8u161

RSA 2048 (SHA256)

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

OpenSSL 1.0.1l R

RSA 2048 (SHA256)

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

OpenSSL 1.0.2e R

RSA 2048 (SHA256)

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Safari 6 / iOS 6.0.1

RSA 2048 (SHA256)

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1 FS

Safari 7 / iOS 7.1 R

RSA 2048 (SHA256)

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1 FS

Safari 7 / OS X 10.9 R

RSA 2048 (SHA256)

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1 FS

Safari 8 / iOS 8.4 R

RSA 2048 (SHA256)

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1 FS

Safari 8 / OS X 10.10 R

RSA 2048 (SHA256)

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH secp256r1 FS

Safari 9 / iOS 9 R

RSA 2048 (SHA256)

TLS 1.2 > http/1.1

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Safari 9 / OS X 10.11 R

RSA 2048 (SHA256)

TLS 1.2 > http/1.1

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Safari 10 / iOS 10 R

RSA 2048 (SHA256)

TLS 1.2 > http/1.1

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Safari 10 / OS X 10.12 R

RSA 2048 (SHA256)

TLS 1.2 > http/1.1

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Apple ATS 9 / iOS 9 R

RSA 2048 (SHA256)

TLS 1.2 > http/1.1

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Yahoo Slurp Jan 2015

RSA 2048 (SHA256)

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

YandexBot Jan 2015

RSA 2048 (SHA256)

TLS 1.2

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH secp256r1 FS

Microsoft also provides extensive documentation about the TLS 1.0 change if you are a current Microsoft customer:

https://www.microsoft.com/en-us/download/details.aspx?id=55266

If you are unsure of your compatibility, please reach out to your DocuSign Support representative or create a ticket with our help desk to have assistance with checking compatibility. 

Connect Integrations

Connect listeners are also impacted by the TLS 1.0 and weak cipher suite deprecation.

PCI compliance mandates that all inbound and outbound requests are required to deprecate TLS 1.0 connections along with legacy ciphers listed above.

Customers using Connect listeners, should ensure their listener is capable of TLS 1.1 or higher to avoid service interruptions after the cutoff dates.

Each language/library used to implement the Connect listener is different. Below are some of the more commonly used.

Java applications:

  • Java 6 (1.6) or a lower version is not compatible with TLS 1.1 or higher
  • Java 7 (1.7) has support for TLS 1.1 and TLS 1.2 but this is not enabled by default
  • Java 8 (1.8) or a higher version has default support for TLS 1.1 or TLS 1.2
 

.NET applications:

  • The protocol can be specified for your application using the ServicePointManager class. The SecurityProtocol property allows you to specify the TLS version directly like this:
 System.Net.ServicePointManager.SecurityProtocol =  SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;
This article explains how to enable the strongest security available for the version of the .NET Framework that your app targets and runs on.  
 

Applications relying on OpenSSL (PHP, Perl, Python etc):

  • OpenSSL v1.01 or newer supports TLS 1.1 and TLS 1.2
 

Please check with your IT and development team if any action is needed to support TLS 1.1/1.2 for your DocuSign Connect listeners

DocuSign Products

The following products are updated to be compliant with TLS 1.2. You must upgrade and install the newest version.
The following legacy products are no longer supported at all and will cease to function entirely:
  • DocuSign for Outlook (Windows .MSI Install) - (Not to be confused with DocuSign for Outlook which is still supported)
  • DocuSign for SharePoint On-Prem 2010
  • DocuSign for Dynamics On-Prem 2011

Related