Wait. What? The IBM cloud's APIs use insecure TLS1 crypto?
It's got an end-of-life date, though – next Tuesday
An email has gone out from IBM about its Bluemix cloud: after next Tuesday, the SoftLayer APIs will no longer accept connections encrypted with the ancient TLS 1.0.
It's not quite a surprise that the 1990s-era protocol was still accepted: a great many services are still midway through their deprecation plans.
To give just one example, Salesforce began its phase-out of TLS 1.0 in production instances on July 22, 2017.
And the PCI Council, which had originally wanted TLS 1.0 gone last year, had to extend its deprecation date to 30 June, 2018 (and it's still blogging early warnings for members, in case they're still failing to catch up).
In the Bluemix email, IBM notes: "There should be no impact to customers using a modern web client. This notification is intended to be informative only."
The two services affected by the deprecation are api.softlayer.com and api.service.softlayer.com – so there's another community that's got to pay attention, namely developers who wrote to the APIs and used TLS 1.0 to secure their API access.
TLS 1.0 has long been known as insecure, as far back as 2011 when it was bitten by the BEAST exploit. ®