Decommission of TLSv1.0 and v1.1 - Rackspace Customer Identity API Endpoint
by Marc Nourani Director, Global Service Operations, Rackspace Technology
Rackspace will perform a Service Disrupting maintenance in our ORD1, SYD2, LON3, DFW3 and HKG5 data centers between 15 August 2023 at 09:00 CDT and 15 August 2023 at 11:00 CDT (between 15 August 2023 at 14:00 UTC and 15 August 2023 at 16:00 UTC). During this maintenance, Rackspace will test decommission of TLS versions prior to version 1.2 on the Rackspace Customer Identity API endpoint: identity.api.rackspacecloud.com. During this maintenance, systems which communicate via TLS versions 1.0 and 1.1 will lose connectivity to this endpoint. Rackspace has identified a small number of customers using these versions to connect to the Rackspace Customer Identity API endpoint and has communicated to those customers via ticket.
As of 31 August 2023, Rackspace will permanently disable TLS versions prior to 1.2 on the Rackspace Customer Identity API endpoint: identity.api.rackspacecloud.com. We are making this change as part of an overall strategy to modernize all Rackspace systems to TLS 1.3. Due to both evolving regulatory requirements and security vulnerabilities in previous versions of TLS, we will initially phase out any versions prior to TLS 1.2. Following this change, connecting systems must support TLS version 1.2 at minimum to connect to Rackspace Customer Identity.
What is TLS?
Transport Layer Security (TLS) is a security protocol for establishing encrypted communication channels over computer networks, protecting almost all Web traffic. Older versions of this protocol (prior to 1.2) are vulnerable to attacks that could compromise data sent over the network.
Rackspace recommends that customers completely remove all TLS support prior to version 1.2 from their environments and begin planning to move to TLS 1.3. However, for purposes of this update, at minimum, customers must ensure that any systems or software connecting to Rackspace Customer Identity support TLS 1.2 at minimum.
What endpoint is involved?
Identity.api.rackspacecloud.com (and subdomains)
How can Rackspace help?
While our engineers are not in a position to directly support individual customer configurations, we can provide guidance on general industry best practices. The required TLS 1.2 upgrade will most commonly affect customers connecting to the API programmatically from their middleware application stack. The changes needed to upgrade for TLS 1.2 compatibility must be performed by the customer's application engineers. Because TLS 1.2 was standardized in 2008, many systems which follow normal patching policies are likely already up to date and not in scope for this issue. Nevertheless, we've included below additional resources for some systems that may require updates to comply with this updated standard.
Engineers do not anticipate any issues for those customers utilizing technology newer than 2017 and current on patching. Consider the following as minimum compatible system baselines:
- .NET Framework: version 4.6.2 is the base version that supports TLS 1.2 (as of Aug 2016). Note: a few earlier variants do not appear to be actively supported. For example, e.g., 4.5.1 and 4.5.2 can support TLS 1.2 with specified KBs (patches) installed.
- Microsoft SQL Server 2016 and later supports TLS 1.2. Older SQL clients may require special KBs (which were likely included in patching rollups) to load.
- Microsoft Windows Server 2012 and 2012 R2 will support TLS 1.2 with specified KBs that were released in June 2017. If you have patched since that time, it's likely the update was included in specified updates or in patching rollups.
- Microsoft Windows Server 2016, 2019 and 2022: all support TLS 1.2
- Azure: should be unaffected due to the use of newer technology. While there are potential hurdles in Azure, these are unlikely and easy to fix (e.g., upgrading the .NET Framework used). Note: client VMs on Azure must also be up to date.
Hosts will generally be up to date if they have recent patching, as all will be using the system-wide OpenSSL/GnuTLS libraries. If not, generally, solution "update OpenSSL and/or GnuTLS packages. If the overall distribution version isn't new enough to have recent packages, update that as well". Assuming the software version is recent enough, solutioning may require some configuration (e.g., the support for TLS 1.2 is present, but disabled).
If an in-house/third-party package is doing TLS using its own libraries (or a bespoke installation in its own directory, etc.), the team responsible for that package should be engaged to investigate further.
Mozilla’s online SSL configuration tool (https://ssl-config.mozilla.org/) can help with configuration settings. While it's maintained by Mozilla, the tool is widely applicable to many software packages, not just Firefox.