Ir para o conteúdo

TLS 1.0 and 1.1 Protocol Shutdown

Important

This notice does not currently apply to clients accessing Serpro's API via INFOCONV or ConectaGov.

We are implementing an important update to our security infrastructure to ensure data integrity and protect our API users.

Serpro has been using the TLS 1.3 security protocol since April 2024, and as of October 31, 2024, support for the TLS 1.0 and 1.1 security protocols will be disabled on our API gateway (gateway.apiserpro.serpro.gov.br).

This decision is driven by several essential factors to preserve the security of our services and ensure compliance with the latest industry security standards.

Transport Layer Security (TLS) is a security protocol designed to secure communications over a computer network. Various versions of the protocol are widely used in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to protect all communications between their servers and web browsers, primarily aiming to provide data privacy and integrity between two or more communicating computer applications.

TLS 1.0 has been in use for over 20 years and TLS 1.1 for 14 years, a sufficient period for hackers to identify their vulnerabilities, such as the BEAST attack (Browser Exploit Against SSL/TLS). Moreover, these versions use weak cryptographic algorithms like MD5 and SHA1, which create a favorable environment for SLOTH attacks (Security Losses from Obsolete and Truncated Transcript Hashes).

The deployment of WAF technology itself contributes with more updated encryption technologies, blocking the use of obsolete protocol versions. Furthermore, the use of TLS 1.0/1.1 prevents the implementation of newer browsers, as fewer browsers support these outdated versions, exposing further security risks.

Therefore, versions 1.1 and 1.0 will be deactivated and replaced by the current protocol version, 1.3, as defined in RFC 8446 (August 2018).

To ensure a smooth transition with minimal business impact, we recommend beginning the upgrade planning to TLS 1.3 immediately (note: version 1.3 is the recommended option, but if necessary, version 1.2 will still be available and can be used).

Important

Clients still using TLS 1.0 and 1.1 protocols will not be able to integrate with services after October 31, 2024.

To assist with the migration process, we have assessed migration impacts for those using the following programming languages:

  • Dotnet
  • Node.js
  • Python
  • PHP
  • Java

Testing Protocol 1.3

Our servers are already configured to use TLS 1.3. To test, simply send a request using this protocol and analyze the result.

Note

The gateway environment is production. However, if the API your company accesses has a staging environment and you have access (keys), you may test there. Otherwise, you may use the production API with existing access.

For questions or further clarification, please contact us via email at duvidas.tls@serpro.gov.br.

Última atualização: 11 de novembro de 2024
Criada: 11 de novembro de 2024