iWelcome provides various services that might contain sensitive information. For this reason, we need to make sure that communication with our services is done securely and adheres to current best practices.

TLS 1.0 and 1.1 are out-of-date protocols that do not support modern cryptographic algorithms, and they contain security vulnerabilities that may be exploited by attackers. The Internet Engineering Task Force (IETF) is also planning to officially deprecate both protocols. In addition, the vast majority of encrypted Internet traffic is now over TLS 1.2, which was introduced over a decade ago.
Google ,Apple,Microsoft and Mozilla have all announced that their browsers will no longer support TLS 1.0 and 1.1 as of March 2020. Qualys SSL Labs will also depreciate an endpoint supporting TLS 1.0/1.1. Best practices outlined in RFC-7525 give reasons why it is discouraged to use protocol TLS 1.0 and TLS 1.1. Best practices outlined in RFC-7525 give reasons why it is discouraged to use protocol TLS 1.0 and TLS 1.1.

Change/Fix

Based on the best practices, the following new settings were determined (current recommended configuration):

TLS version
• TLSv1.3 enabled were possible
• TLSv1.2
• TLSv1.0, TLSv1.1 disabled
• SSL2, SSL3 disabled

Ciphers
• EECDH+AESGCM:EDH+AESGCM

Strict-Transport-Security
• HSTS enabled, max-age 1 year, preload enabled

Risks

Older systems/browsers may not support TLS 1.2. Please find below a list of incompatible browsers/operating systems we found (unsupported versions).
Note: You may check your browser using the Qualys SSL Labs browser test.

Android
• version 4.3 and older

Internet Explorer • IE6 / XP
• IE7 / Vista
• IE8 / XP
• IE8-10 / Win7
• IE10 / Win Phone 8.0 (8.1 update is supported)
Java
• version 6
• version 7
OpenSSL
• version 0.9.8y
Safari
• version 5
• version 6
• version 7/8 on older iOS/OSX: iOS 7/8 or OSX 10.9/10.10

For more information about currently supported browsers, please refer to Transport Layer Security Web browsers.

Testing Guidelines

The endpoints can be tested using Qualys SSL Labs. Using the server test (it only takes a few minutes to complete), you will be able to see if TLS 1.0/1.1 is enabled for your domain(s).