IBM figures out it takes longer than a week to re-wire software
New TLS 1.0 turnoff offers three months warning, reprieve if you'd rather remain insecure
IBM has announced it will again try to wean its cloud off the known-to-be-insecure TLS 1.0 and 1.1, but will also keep them available for some services.
Big Blue has to try again because its first attempt gave users just a week to prepare. Users quickly complained that was nowhere near enough time to set their houses in order. Some even missed the news and found the sudden change disruptive.
IBM therefore admitted that "not enough lead time was given to allow all customers to migrate off reliance on TLS 1.0" and confessed that “This removal of this support caused issues with code reliant on that support”. The company therefore turned TLS 1.0 and 1.1 off and turned it on again to set things right.
Now the company's set the date for the final cutover: Thursday, March 1, 2018, at 0900 UTC.
At that moment, Big Blue's email foreshadowed, “IBM Cloud will stop supporting TLS 1.0 and 1.1 on api.softlayer.com and api.service.softlayer.com … these API endpoints will only support callers using TLS 1.2 encryption levels or higher.”
The changeover will impact “[a]ny users with code or services that reference the softlayer.com API endpoints for IBM Cloud Infrastructure services with encryption levels older than TLS 1.2.”
“Successfully testing your code and services against these alternative endpoints means your code and services will work properly on the transition date,” IBM has advised.
But the company has also pledged a lifeline for those who absolutely must keep using old and bad versions of TLS: a troubleshooting guide says: "Some products and services are making alternate endpoints available that will continue to support TLS 1.0 and 1.1 after TLS 1.0 and 1.1 are removed from the primary endpoints."
The Register imagines some users of those services must have such complex software that they just can't unpick it, because TLS 1.0 and 1.1 were smashed in the year 2011.
The algorithms remain very widely deployed and have proven hard to winkle out of every implementation. So much so that even in dangerous locations like point of sale where security is paramount, the PCI Council decided to extend the end-of-use date because of the massive effort required to upgrade or replace equipment.
IBM was likely aware of that extension, making it even odder that a company with its heritage in enterprise technology would think that a week is enough time to get the job done. ?