Does your DocuSign API integration or Connect listener use TLS 1.0? If so, then you must update it by June 25, 2018 or it will stop working with DocuSign.

Background

The bedrock of internet security is the SSL/TLS family of transport-level encryption protocols. As information security engineering has progressed, the protocols have been improved, updated, and, as appropriate, deprecated.

The current standard, TLS 1.2, was published in August of 2008. DocuSign no longer accepts protocol versions before TLS 1.0. Starting in June, DocuSign will no longer accept or use TLS 1.0 nor weak TLS ciphers:

Environment TLS v1.0 and weak cipher End of Life date
Developer Sandbox (Demo) May 29, 2018
Production June 25, 2018

Why is the change necessary?

Ending support for TLS 1.0 and weak TLS ciphers by June 25, 2018 has been mandated by the PCI Security Standards Council and is an industry requirement to remain PCI compliant. In addition, DocuSign is committed to security, and an important part of our commitment is deprecating support for technologies that put our customers at risk. The advancement in computing power, along with cloud computing, has made TLS 1.0 and certain TLS ciphers to be considered weak, breakable, and insecure.

Upgrade now to TLS v1.2

Now is the time to upgrade any DocuSign API applications to TLS v1.2. While TLS v1.1 is okay for now, we strongly recommend that you use the current standard, TLS v1.2.

When upgrading your servers to TLS v1.2, you will need to check and update:

  • Any applications that make API calls to the eSignature DocuSign REST or SOAP APIs.
  • Any Connect or eventNotification listeners (servers) that receive calls from DocuSign using either default or SOAP-formatted notification messages.

Checking TLS v1.2 compliance

TLS is handled by the transport layer of your software stack. You can check your software stack’s TLS v1.2 compatibility by researching it on its publisher’s web site. The DocuSign Support page also lists TLS compliance information about many popular software stacks.

Client application compliance can be checked dynamically by writing a test program which calls the Client test page from Qualys. Your test program should store the page’s response in a file so you can view it.

Server applications used to receive Connect and eventNotification messages can be tested with the Server test page from Qualys. A list of other server test pages is also available. You will need to disable any IP white lists and Mutual TLS checks when using a test page to interrogate your server.

More information is available from DocuSign Support.

See you in San Francisco

I’ll be speaking at the DocuSign Momentum conference in San Francisco, June 20-21. We will have special tracks and programs for developers. Join me! Full details are available on the Momentum web site.

Tags