Mulesoft is deprecating the use of TLS v1.0 protocol for secure connections to the Anypoint Platform, please refer to important dates below
Important Dates – TLS v1.0 access will no longer work, and all secure connections will have to use TLSv1.1 or TLS v1.2 on:
- May 31, 2018 (EU)
- June 2, 2018 (US & other regions)
There will be no extension to these dates.
Mulesoft is asking to conduct the following actions before April 30, 2018:
- If you are using any end of life versions of gateways and runtimes, please upgrade ASAP. Please refer to the MuleSoft end-of-life (EOL) policies for further details on runtime and gateway versions.
- For supported versions make sure to check the TLS v1.0 deprecation article for details in case you need to apply a patch or update the configuration.
- Ensure that all your connections to the US Control Plane (anypoint.mulesoft.com) and the EU control plane (eu1.anypoint.mulesoft.com) APIs are via TLS v1.2 or v1.1.
What is the issue?
For over 20 years Secure Sockets Layer (SSL) has been in the market as one of the most widely-used encryption protocols ever released, and remains in widespread use today despite various security vulnerabilities exposed in the protocol. Fifteen years ago, SSL v3.0 was superseded by TLS v1.0, which has since been superseded by TLS v1.1 and v1.2. To date, SSL and early TLS no longer meet minimum security standards due to security vulnerabilities in the protocol for which there are no fixes. Related links for more information:
https://www.kb.cert.org/vuls/id/864643
https://www.howsmyssl.com/s/about.html
https://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack
How serious is this issue?
It is critically important that entities upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS. SSL has been removed as an example of strong cryptography in the PCI DSS, and can no longer be used as a security control.
What is the actual risk?
SSL/TLS encrypts a channel between two endpoints (for example, between a web browser and web server) to provide privacy and reliability of data transmitted over the communications channel. Since the release of SSL v3.0, several vulnerabilities have been identified, most recently in late 2014 when researchers published details on a security vulnerability (CVE-2014-3566) that may allow attackers to extract data from secure connections. More commonly referred to as POODLE (Padding Oracle On Downgraded Legacy Encryption), this vulnerability is a man-in-the-middle attack where it’s possible to decrypt an encrypted message secured by SSL v3.0. The SSL protocol (all versions) cannot be fixed; there are no known methods to remediate vulnerabilities such as POODLE. SSL and early TLS no longer meet the security needs of entities implementing strong cryptography to protect payment data over public or untrusted communications channels. Additionally, modern web browsers will begin prohibiting SSL connections in the very near future, preventing users of these browsers from accessing web servers that have not migrated to a more modern protocol.
How are MuleSoft’s products impacted?
Currently the default SSL/TLS mechanism for MuleSoft has been TLS v1.0 for all products. MuleSoft will provide a matrix that will include a multifaceted approach to deprecating TLS v1.0, and providing TLS v1.2 as the default.
Additional details can be found at TLS v1.0 Deprecation Support Article.