Apigee will deprecate TLS 1.0 and TLS 1.1 on
June 18th July 31st
Apigee announced the deprecation of support for TLS 1.0 and TLS 1.1 protocols for HTTPS connections has been rescheduled. Now starting on July 31st, 2018, both TLS 1.0 and TLS 1.1 will be disabled, and TLS 1.2 will be required.
Why are they making these changes?
Connections that use TLS 1.0 or TLS 1.1 are no longer considered a secure practice by the security community. Therefore, Google is retiring the protocols across their entire product line including Apigee. The change was scheduled to comply with the PCI Guidance starting June 30th. We have been added to the extension to July 31st since we have no payment activity through Apigee.
What actions do I need to take?
For API owners, no changes need to be made but you should work with your API’s consumers to ensure their client supports TLS 1.2. See details below. Your consumers should see no disruption to their API access as long as they support TLS 1.2. Active external consumers of the Dictionary, SMS Access Code, and LearningStudio APIs will be sent a notification of this change within the next 24 hours.
For API consumers, review your API client (i.e. API consumer application) configurations to determine what TLS versions are being used and take the necessary actions to migrate the client configurations to support TLS 1.2. Client versions below should see no disruption.
Client TLS 1.2 Support
- JDK 8 and above OpenSSL 1.0 and above
- .Net 4.7 and above using OS default
- Chrome 30 and above
- Firefox 31 and above
- IE 11
- Safari 7 and above on OSX
More version test details at https://www.ssllabs.com/ssltest/clients.html
If customers are using a TLS version less than 1.2, will their API calls fail after July 31st 2018?
Any calls made to API proxies hosted on Apigee using TLS 1.0 and TLS 1.1 will receive a handshake error. Starting on July 31st, 2018, both TLS 1.0 and TLS 1.1 will be disabled, and TLS 1.2 will be required.
When is the exact time that Apigee is going to effect this change?
The change will be rolled out across the Apigee global infrastructure throughout the day. Apigee has stated they will be unable to provide a time when the change will affect a particular organization or API. A notification will be sent out once their entire infrastructure is updated and we'll pass that information on.
Can we test the deprecation in a non-production environment prior to July 31st?
Unfortunately, not. Google is enforcing the retirement on the north facing infrastructure of their entire Apigee Edge product. This is upstream of their organization/environment structure so all environments will be affected by any change. The recommendation is to verify that the client(s) you are using or support are TLS 1.2 compatible prior to June 18th to ensure no disruptions. See some test resource below.
- Client Test
- Endpoint: https://api-stage.pearson.com/TLSTest
- Successful response text:You have successfully connected
Is this retirement associated with the current virtual host migration on Apigee?
The TLS retirement does address the security concerns that prompted our virtual host migration effort. Therefore, the virtual host migration has been suspended indefinitely. The July 31st change will not require SNI compatibility like the virtual host migration although it is still recommended.
If we are not ready by the end of July, is there any possibility of postponing this change?
No postponements will be available. This is a security requirement that applies across Apigee’s multi-tenant platform, and they are unable to make exceptions.
Is there a way that we can identify our calls that use TLS version 1.0 or 1.1?
We will be working with Apigee on some additional logging to identify traffic using anything other than TLS 1.2 and will notify teams if the request are associated with their API or client. Although, we recommend that every consumer verify what client they are using to make the API request and evaluate that client’s TLS configuration to ensure TLS 1.2 compatibility prior to July 31st, 2018.
What about plain HTTP connections?
API proxies that require HTTP connections will continue to work as is. If you are using HTTPS, you will be required to use TLS 1.2.
Who do I contact if I need more info or help?
If you have any questions or need assistance, you can contact us in the Apigee TLS Retirement Hipchat room or send an email to firstname.lastname@example.org. We apologize for any inconvenience this may cause, but appreciate your support.