TLS 1.0 is being deprecated. What does this mean, and what do I need to do to be ready?
As some of you will already be aware, TLS 1.0 is being deprecated in favour of the more secure TLS 1.2 (and to a lesser extent, TLS 1.1). The deadline for switching over to newer versions of TLS is 30th June 2018, and as such a number of providers including payment gateways are sending out emails to this effect. This can be a bit confusing, so let's break it down for you.
What's TLS, then?
TLS 1.0 is the original version of the TLS protocol, and is also known as SSL. The term "SSL" has been appropriated since to refer to any version of the TLS protocol in that it provides encryption between two points - most often your browser and the website you're visiting. SSL is also used when communicating between your server and other servers when you have secure integrations such as your payment gateway
Wait, so there's more than one place TLS is used? Which one do I need to fix?
Well, both. Ideally you want to only accept the newer versions of TLS when your site is being accessed by users, but the notifications you're seeing from the payment gateway providers are referring to the server-to-server communication. Those providers have updated their systems to reject TLS 1.0 requests and only accept the newer versions, and as such are contacting you to make sure that your server is able to communicate with these newer versions.
So how do I check this?
For the user side, you can test with your local web browser. For example, in Chrome you can go to your website, open up the developer console (Ctrl-Shift-I in Windows) then select the Security tab. If you see "Connection - secure (strong TLS 1.2)" then you're good to go. You can also use a site like Qualys' SSL Labs to check your site for TLS support as well as any other SSL-related issues.
For the server to server side (when testing for payment gateways) you'll need to log into the server and connect out. One way that works well is using curl to connect to How's My SSL:
You'll see a big block of code with a lot of detail, but the part you want is at the end. Look for "tls_version" - if it says "TLS 1.2" next to it you're using the latest version. If it says TLS 1.0, you'll likely need some updates on your server to get up to spec.
What about managed servers?
If you're managed, we're doing this for you wherever possible. In some cases an upgrade will be required and we're contacting customers in this scenario. For Cloud Containers (both managed and unmanaged), we'll be rolling out an update to cover this over the next few weeks.
This covers the basics of the TLS update. If you're in doubt about any of this or have any questions about your setup in particular, please send us an email and we'd be happy to help out.