Change in SSL configuration for web services and for the EPP service

Norid prepares changes to the SSL configuration for all our regular web services and the EPP service.

The changes are due to changed recommendations, which now state that SSL protocols lower than TLSv1.2 pose a security risk and should be phased out in Q1 2020. Further information can be found by reading the information linked to from the references at the bottom.

Norid will follow the recommendations and thus change our services so that SSL protocols lower than TLSv1.2 no longer will be supported. Due to limitations in our underlying systems, TLSv1.3 will not be supported at this time. Only TLSv1.2 will be supported. Corresponding changes to cipher suites will also be performed.

The configuration will be adjusted to follow the recommendations for Intermediate compatibility as described for TLSv1.2 at https://wiki.mozilla.org/Security/Server_Side_TLS.

The changes are rolled out in two tracks:

  • Regular web services: These are changed first. We assume that these are used from modern browsers, which have already supported TLSv1.2 for several years, and therefore we expect no problems with them.

    • The registrar test system has already been updated with the changes.
    • The production system will be updated with the changes 2020-02-18, in the service window 08:00-10:00 CET.
  • EPP service: This will be updated over a longer time period as we see the possibility that EPP software used by some registrars may need minor customization in the SSL connection code. Therefore, the test system is updated with the changes first, and the production system will be updated approximately two months later.

    • The test system will be updated 2020-02-18. All registrars should test their EPP software against the testing system and ensure that it works.
    • The production system will be updated 2020-04-21, in the service window 08:00-10:00.

References:

https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html

https://wiki.mozilla.org/Security/Server_Side_TLS

https://ssl-config.mozilla.org

https://www.internet.nl/article/introducing-new-TLS-guidelines

https://english.ncsc.nl/publications/publications/2019/juni/01/it-security-guidelines-for-transport-layer-security-tls

Published 12 February 2020 • Last updated 3 April 2020