TLS 1.0 Deprecation Notice - September 2019
From the 1st of February 2020, Vend will be deprecating the use of TLS 1.0 for any application communicating to any Vend API product. After this cutoff date, all applications communicating with Vend products must use TLS 1.1 or above.
We recommend applications upgrade to TLS 1.2 as the Vend API already has support for this.
Why is Vend making this change?
Although Vend provides our APIs via our TLS gateway, with support for TLS 1.3, TLS 1.2 and TLS 1.1, we have continued to support TLS 1.0 for legacy reasons.
For a number of reasons, the time has come to remove support for this older protocol:
- TLS 1.0 has some known vulnerabilities, which have been addressed in TLS 1.1 and higher.
- The PCI Council suggested that organizations migrate from TLS 1.0 to TLS 1.1 or higher before June 30, 2018.
- In October 2018, Apple, Google, Microsoft, and Mozilla jointly announced they would deprecate TLS 1.0 and 1.1 in March 2020.
We recommend all integrators should upgrade as soon as possible. We are giving integrators several months notice to act on this change.
Am I affected?
This announcement is directed towards developers integrating with the Vend APIs - developers of Vend Addon Applications, and users of Personal Access Tokens.
You should be able to verify that your framework or library can support TLS1.1+ by checking its documentation.
If you are not sure, there are various services available which can determine if your application supports TLS1.1 or TLS1.2.
One example is badssl.com:
- If you try to connect your app to the URL https://tls-v1-1.badssl.com:1011/ using TLS 1.0, it would reject your connection.
- Note that badssl.com is a free service, not provided by Vend.
What should I do?
Most recent applications will use a library or framework to communicate via TLS. In most cases, recent versions of these libraries will already support newer versions of TLS.
We recommend moving to TLS 1.2 - it is not mandatory but it is the current version of the protocol.
An upgrade to TLS 1.1, TLS 1.2 or TLS 1.3 requires changes to the application to support the newer versions of TLS.
- Wikipedia article on TLS 1.0
- PCI recommendation to stop using TLS 1.0.
- Browser vendors agree to stop supporting TLS 1.0.
If you have any further questions around this topic, please contact Vend’s API team via email email@example.com for assistance.