We are introducing a Web Application Firewall (WAF) and additional protection against Denial-of-Service attacks. This protection will be provided through Cloudflare and we will be switching the inbound IP addresses used by OneSpan Sign to IP addresses of Cloudflare.
At the same, we will be enhancing the TLS cipher suites supported by OneSpan Sign. Transport Layer Security (TLS) is a protocol that protects the confidentiality and integrity of data exchanged between OneSpan Sign and customers. This change will take place at the same time as changes made to our Environment URLs & IP Addresses. For more information on these changes, see Environment URLs & IP Addresses.
The following Cipher suites will be supported:
TLS 1.2 cipher suites
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-SHA384
- AES128-GCM-SHA256
- AES128-SHA256
- AES256-GCM-SHA384
- AES256-SHA256
TLS 1.3 cipher suites
-
TLS13-CHACHA20-POLY1305-SHA256
-
TLS13- AES-256-GCM-SHA384
-
TLS13- AES-128-GCM-SHA256
What do I need to do?
We recommend that you work with your IT team immediately to upgrade your integration framework to the latest security library supporting the above-mentioned TLS versions and cipher suites. Once completed, please test your OneSpan Sign Sandbox environment to ensure that all TLS communications are working properly. This is an important step that ensures that your organization does not encounter service disruptions:
The Transport Layer Security (TLS) is a protocol that provides privacy and data integrity between two applications that communicate. It is the most widely used security protocol for web browsers and other applications that require secure data exchange over a network. Through encryption and endpoint-identity verification, TLS ensures that a connection to a remote endpoint is indeed the intended endpoint.
As explained in the next section, OneSpan Sign no longer supports the 1.0 and 1.1 versions of TLS.
TLS 1.2 is now the minimum appropriate transport protocol, and TLS 1.3 is strongly recommended.
TLS 1.0 & 1.1 No Longer Supported
Over time, many TLS 1.0 and TLS 1.1 vulnerabilities were uncovered and exploited by attackers. Therefore, TLS 1.0 and TLS 1.1 are no longer considered secure protocols.
Version 2.1 of the OneSpan Sign works only with TLS 1.2.
Security and trust are at the heart of OneSpan Sign's business. To align with industry best practices, we have therefore dropped support for TLS 1.0 and 1.1.
The following table shows when TLS 1.0 was disabled in various OneSpan Sign environments:
U.S. (10.x) | U.S. (11.x) | Canada | Europe | Australia | |
Sandbox | 4 June 2018 | 4 June 2018 | 4 June 2018 | N/A | N/A |
Production | 10 Sept. 2018 | 10 Sept. 2018 | 10 Sept. 2018 | 10 Sept. 2018 | 10 Sept. 2018 |
TLS 1.1 was disabled in OneSpan Sign's environments on the following dates:
- Sandbox: March 20 to May 11, 2020
- Production: June 2 to June 16, 2020
Because OneSpan Sign has disabled TLS 1.0 and 1.1, customers who use those protocols can no longer access OneSpan Sign's e-signature services.
Accordingly, you should already have transitioned your environment to drop TLS 1.0 and 1.1, and enable support for TLS 1.2 or 1.3. You can achieve this by upgrading to the latest Java or .NET environment (and, if you are running an older Microsoft Windows version, by applying the necessary service packs).
For further information, please consult the following articles:
Browser Compatibilty
To ensure that your internet browsers are compatible with the supported versions of TLS, please consult this page.