Security Advisory- Deprecation of Obsolete TLS 1.0 and TLS 1.1 Versions – Updated April 16, 2019
Subject: Deprecation of Obsolete TLS 1.0 and TLS 1.1 Versions – Updated April 16, 2019
Overview
Transport Layer Security (TLS) is a critical cryptographic protocol that provides authentication and data encryption between different endpoints (for example, the user’s desktop and the application server) and secures HTTPS. To best safeguard this Web traffic, it is important to use current and more secure versions of the TLS protocol. The legacy TLS 1.0 and 1.1 versions, which date back to 1999, account for a very small percentage of Web traffic today, and various vulnerabilities (such as POODLE and DROWN) have been found in these legacy versions in recent years. TLS 1.2 was published in 2008 to address weaknesses in TLS 1.0 and 1.1 and has enjoyed wide adoption since then.
With the recent finalization of TLS 1.3 by the IETF in August 2018, Apple, Google, Microsoft, and Mozilla announced the end of support for TLS 1.0 and 1.1 in Chrome, Edge, IE, Firefox, and Safari. In line with these industry standards, Ex Libris will deprecate TLS 1.0 and TLS 1.1.
This change - together with similar actions from Microsoft, Apple, Google, and Mozilla - support better performance, more secure connections, and helps advance a safer Web experience.
We understand that the security of your data is important, and we are committed to transparency about changes that may affect your use of the TLS service.
After Ex Libris deprecates TLS 1.0 and TLS 1.1, any inbound or outbound connections that rely on these protocols will fail.
| Product | Effective Date |
|---|---|
| campusM | Completed |
| Pivot | Completed |
| 360 | Completed |
| Alma | May 31, 2019 |
| Primo | |
| Leganto | |
| Summon | |
| Aleph | |
| Voyager | |
| Rosetta | |
| Research Professional | June 30, 2019 |
| SFX | July 31, 2019 |
| Ex Libris Websites | August 31, 2019 |
| RefWorks | June 01, 2021 |
Affected Systems
All systems and products that use SSL certificates are affected by this change.
Additional Information
You can find additional information on TLS at:
Required Configurations for Hosted Systems
Ex Libris will deploy the required configuration to all Ex Libris cloud servers.
Required Configurations for On-Premise/Local Systems
Ex Libris recommends that customers with on-premise/local systems follow their server vendor’s instructions and disable TLS 1.0 and TLS 1.1.
For customers using load balancer, follow your vendor’s instructions.
For customers using Apache SSL configuration, see Ex Libris best practice for TLS configuration in Apache.