TLS v1.0 Deprecation
On June 30th, 2018, SparkPost will be deprecating TLSv1.0 fallback across all of our systems. These older implementations contain very severe vulnerabilities that directly impact the integrity and security of your communications; vulnerabilities which cannot be fixed in these older implementations. As long as connections are made using TLSv1.1 or later, this change will result in zero impact to your ongoing use of our service. However, if connections are made using TLSv1.0, you will observe a failure to successfully connect to API and SMTP endpoints. To ensure that there is no impact to existing processes, it is best to verify that your clients support TLSv1.1 and/or TLSv1.2, and do not explicitly rely on SSL3 or TLSv1.0.
The reason we are making this change is twofold:
- It allows us to ensure that traffic to and from our systems is further protected from malicious actors trying to intercept and analyze it.
- It meets an upcoming PCI DSS deadline (of June 30th, 2018).
PCI DSS v3.1 has made it clear that both SSL and early TLS (v1.0 and certain configurations of v1.1) are no longer considered secure and would go against some of their requirements (2.2.3, 2.3 and 4.1). This includes disabling the ability to fall back to insecure or weak ciphers. Failure to comply with PCI DSS v3.1 standards may impact e-commerce and other related processes.
TLSv1.2 has been supported on our endpoints and was used opportunistically if the connecting client supported it. We have continued to offer older versions of TLS in an effort to support clients that relied on legacy protocols; however, by disabling SSL and early TLS fallback we can further secure your communications from potential man-in-the-middle attacks, such as POODLE in 2014, by making it impossible for these less-secure protocols to be used.