Sectigo websites and ordering systems will no longer accept connections from servers and clients which do not have TLS 1.1 or higher enabled.

What's going on?

PCI standards require that TLS 1.0 can no longer be used for secure communications. All web servers and clients must transition to TLS 1.1 or above. The PCI DSS standards can be read in full here: https://www.pcisecuritystandards.org/document_library

Sectigo will disable TLS 1.0 on our web properties on 12th June 2017. Our servers will refuse connections to servers using TLS 1.0 from that date.

All partners using the Sectigo API to order certificates should ensure that their API-calling systems support TLS 1.1 (or higher) by 12th June to avoid failed orders as TLS 1.0 will not be an available protocol on our servers by that date. Disabling TLS 1.0 support will help avoid future service interruptions and potential data loss.

Website visitors who attempt to connect to our sites with a browser which does not currently support TLS 1.1 or above will be automatically redirected to a help page which explains how to update their browser.

We have created a help page which contains mitigation advice here: https://support.sectigo.com/Com_KnowledgeDetailPageSectigo?Id=kA01N000000zFM1

What is the risk?

Among other weaknesses, TLS 1.0 is vulnerable to man-in-the-middle attacks, risking the integrity and authentication of data sent between a website and a browser. Disabling TLS 1.0 support (and below) on your server is sufficient to mitigate this issue. Because Sectigo will end support for TLS 1.0 on 12th June, all connections to our properties using the protocol will not be accepted. API users are therefore strongly encouraged to configure their servers to use TLS 1.1 to ensure orders continue to be completed successfully.

How can I fix the issue?

API users should disable TLS 1.0 and below, and enable TLS 1.1 and above, on their servers which connect to our ordering systems. Sectigo have prepared the following guidance to help mitigate the issue: How to disable TLS 1.0 and below on Apache, NGINX and IIS: https://support.sectigo.com/Com_KnowledgeDetailPageSectigo?Id=kA01N000000zFM1

How to check whether your website is vulnerable?

• Enter your website URL at: https://www.sslshopper.com/ssl-checker.html
• On the results page, scroll down to the ‘Protocol Versions’ section.
• Sites with TLS 1.0, SSL 3.0 and SSL 2.0 will be reported as ‘Vulnerable'.

NIST guidelines for the selection, configuration and use of TLS are available here: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf