Any plans on deprecating TLS 1.0 and 1.1?

gregaricangregarican Posts: 121Member ✭
Most all of my third party API providers have retired TLS 1.0 and 1.1 this year. Mainly due to heightened PCI compliance requirements put into place, effective 6/30/2018.


When I just looked in Fiddler against some of my source code that hits LS Retail API endpoints it appears as if TLS 1.0 is still supported. See below.

If/when the API will require TLS 1.2 I assume that prior notification will be sent out to the customer and third-party base, correct? Seeing that there will need to be modifications made on our end. 

Just wondering...

----------------------------------------

CONNECT cloud.merchantos.com:443 HTTP/1.1
Host: cloud.merchantos.com
Connection: Keep-Alive

A SSLv3-compatible ClientHello handshake was found. Fiddler extracted the parameters below.

Version: 3.1 (TLS/1.0)
Random: 5B 74 49 A1 C3 53 8D 75 EF D5 35 62 88 48 7C D2 5B 22 25 C2 B3 71 B3 A8 4C EA 63 DB AF 2A 4A 3E
"Time": 9/30/2055 3:34:51 PM
SessionID: empty
Extensions: 
server_name cloud.merchantos.com
elliptic_curves secp256r1 [0x17], secp384r1 [0x18]
ec_point_formats uncompressed [0x0]
extended_master_secret empty
renegotiation_info 00
Ciphers: 
[C014] TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
[C013] TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
[0039] TLS_DHE_RSA_WITH_AES_256_SHA
[0033] TLS_DHE_RSA_WITH_AES_128_SHA
[0035] TLS_RSA_AES_256_SHA
[002F] TLS_RSA_AES_128_SHA
[C00A] TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
[C009] TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
[0038] TLS_DHE_DSS_WITH_AES_256_SHA
[0032] TLS_DHE_DSS_WITH_AES_128_SHA
[000A] SSL_RSA_WITH_3DES_EDE_SHA
[0013] SSL_DHE_DSS_WITH_3DES_EDE_SHA
[0005] SSL_RSA_WITH_RC4_128_SHA
[0004] SSL_RSA_WITH_RC4_128_MD5

Compression: 
[00] NO_COMPRESSION

----------------------------------------

HTTP/1.1 200 Connection Established
FiddlerGateway: Direct
StartTime: 11:41:21.633
Connection: close

Encrypted HTTPS traffic flows through this CONNECT tunnel. HTTPS Decryption is enabled in Fiddler, so decrypted sessions running in this tunnel will be shown in the Web Sessions list.

Secure Protocol: Tls
Cipher: Aes128 128bits
Hash Algorithm: Sha1 160bits
Key Exchange: ECDHE_RSA (0xae06) 256bits

== Server Certificate ==========
[Subject]
  CN=*.merchantos.com, OU=Domain Control Validated

[Issuer]
  CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US

[Serial Number]
  74ED04941899

[Not Before]
  4/10/2014 12:09:03 AM

[Not After]
  3/31/2019 10:18:02 PM

[Thumbprint]
  C8DCCE354D403D0E058911BBE5F1359B014F4228

[SubjectAltNames]
*.merchantos.com, merchantos.com

3 comments

  • Michael CareyMichael Carey Posts: 48Administrator, Lightspeed Staff moderator
    Hi Greg,

    Currently TLS1.0 is disabled on *.lightspeedapp.com but it is still enabled on *.merchantos.com.

    Our DevOps team will be disabling TLS1.0 very soon on the merchantos domain. I recommend using https://api.lightspeedapp.com instead.

    Thanks,
    Michael Carey
    API Integrations Specialist
    Lightspeed HQ
  • gregaricangregarican Posts: 121Member ✭
    I updated all of my code to use TLS 1.2 when communicating with the merchantos.com API endpoints, so we should be fine. Thanks for the feedback!
  • Michael CareyMichael Carey Posts: 48Administrator, Lightspeed Staff moderator
    You're welcome!
    Michael Carey
    API Integrations Specialist
    Lightspeed HQ
Sign In or Register to comment.