PokitDok Security Update: SSL Protocol Upgrade Notice

Protection of our customers' data is of the utmost importance at PokitDok. To ensure our high security standards are met, we constantly iterate, making regular improvements and retiring older encryption protocols.

To align with these best practices and exist in accordance with updated compliance requirements from the PCI Security Standards Council (PCI SSC), PokitDok will discontinue support for TLS versions 1.0 and 1.1 to our platform as of December 15, 2016. Any older browsers or API clients that do not support TLS 1.2 will no longer function.

The following post outlines this platform update and walks you through the actions you need to take in order to maintain normal activity after December 15.

WHAT ARE SSL and TLS?

SSL (Secure Sockets Layer) protocol TLS (Transport Layer Security) encrypts a channel between two endpoints to provide a private and reliable channel for data to pass through. The PokitDok Platform uses it to securely connect to your browsers. Your servers also use it to send information to our APIs. The first version of TLS (1.0) was released in 1999, while subsequent have been introduced in 2006 and 2008. TLS 1.3 is a working draft as of early 2016.

WHY YOU MUST UPGRADE TO TLS 1.2

Every website that processes or transmit credit card data will be making this upgrade. While the PCI SSC has delayed the full TLS 1.0 transition deadline to June 30, 2018, we still recommend that our users update to version 1.2 as soon as possible. With this amplified security transition, it is our intent to:

  • Maintain the integrity and authenticity of all data associated with our platform
  • Address the serious risk associated with the weaknesses of SSL protocols TLS 1.0, and TLS 1.1
  • Ensure all new applications are enabled with TLS 1.2 or greater to comply with the latest security standards

RISK

Failure to comply with this upgrade could risk the integrity of your data and has the potential to expose you to an attack. Since we will no longer support TLS 1.0 and 1.1, your connections will be discontinued if you fail you upgrade.

NEXT STEPS

To upgrade, here are a few starting points. For a number of languages, you need to verify that you're updated to the proper version:

Ruby

Verify that your Ruby environment is using an underlying OpenSSL installation equal or newer to version 1.0.1

.NET

  • .NET 4.6 and above: You don’t need to do any additional work to support TLS 1.2, it’s supported by default.
  • .NET 4.5: TLS 1.2 is supported, but it’s not a default protocol. You need to opt-in in order to use it. The following code will make TLS 1.2 default, make sure to execute it prior to making a connection to a secured resource:

           ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

  • .NET 4.0: TLS 1.2 is not supported; however, if you have .NET 4.5 (or above) installed on the system then you still can opt in for TLS 1.2 even if your application framework doesn’t support it. The only problem is that SecurityProtocolType in .NET 4.0 doesn’t have an entry for TLS1.2, so we’d have to use a numerical representation of this enum value:

           ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072

  • .NET 3.5 or below: TLS 1.2 is not supported and there is no workaround. You will need to upgrade your application to more recent version of the framework.

Java

Here is a link to the official reference: LINK

  • JDK v1.6:  Upgrade to JDK v1.7 or greater
  • JDK v1.7:  Use a system property -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2
  • JDK v1.8:  No changes necessary

node.js

Verify that your linked OpenSSL library is at least version 1.0.1 or greater.

Go

No changes necessary.

Python

Verify that your linked OpenSSL library is at least version 1.0.1 or greater.

PHP

Verify that your linked OpenSSL library is at least version 1.0.1 or greater.

Android

Verify that you are deploying to Android 4.1+.

iOS

Upgrade to iOS 5+.


Testing with API Clients

The PokitDok open source API clients, https://github.com/PokitDok, have a handy helper method to test the negotiated SSL protocol and cipher. For examples on using this method see the documentation:

Python

Ruby

PHP

C#

NodeJS

The clients should return a protocol of "TLSv1.2". For any other response please see the instructions above to address for your language and platform.

More questions? Contact us. 

Leave a Reply

Your email address will not be published.