Data Centre

Cloud

IBM figures out it takes longer than a week to re-wire software

New TLS 1.0 turnoff offers three months warning, reprieve if you'd rather remain insecure

By Simon Sharwood

10 SHARE

IBM has announced it will again try to wean its cloud off the known-to-be-insecure TLS 1.0 and 1.1, but will also keep them available for some services.

Big Blue has to try again because its first attempt gave users just a week to prepare. Users quickly complained that was nowhere near enough time to set their houses in order. Some even missed the news and found the sudden change disruptive.

IBM therefore admitted that "not enough lead time was given to allow all customers to migrate off reliance on TLS 1.0" and confessed that “This removal of this support caused issues with code reliant on that support”. The company therefore turned TLS 1.0 and 1.1 off and turned it on again to set things right.

Now the company's set the date for the final cutover: Thursday, March 1, 2018, at 0900 UTC.

At that moment, Big Blue's email foreshadowed, “IBM Cloud will stop supporting TLS 1.0 and 1.1 on api.softlayer.com and api.service.softlayer.com … these API endpoints will only support callers using TLS 1.2 encryption levels or higher.”

The changeover will impact “[a]ny users with code or services that reference the softlayer.com API endpoints for IBM Cloud Infrastructure services with encryption levels older than TLS 1.2.”

“Successfully testing your code and services against these alternative endpoints means your code and services will work properly on the transition date,” IBM has advised.

But the company has also pledged a lifeline for those who absolutely must keep using old and bad versions of TLS: a troubleshooting guide says: "Some products and services are making alternate endpoints available that will continue to support TLS 1.0 and 1.1 after TLS 1.0 and 1.1 are removed from the primary endpoints."

The Register imagines some users of those services must have such complex software that they just can't unpick it, because TLS 1.0 and 1.1 were smashed in the year 2011.

The algorithms remain very widely deployed and have proven hard to winkle out of every implementation. So much so that even in dangerous locations like point of sale where security is paramount, the PCI Council decided to extend the end-of-use date because of the massive effort required to upgrade or replace equipment.

IBM was likely aware of that extension, making it even odder that a company with its heritage in enterprise technology would think that a week is enough time to get the job done. ®

Sign up to our NewsletterGet IT in your inbox daily

10 Comments

More from The Register

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry

Russia's national vulnerability database is a bit like the Soviet Union – sparse and slow

By design, though, not... er, general rubbishness

Ad watchdog: Amazon 'misleading' over Prime next-day delivery ads

280 brassed-off Brits begged ASA to bite Bezos' behemoth

Amazon can't or won't collect sales tax in Australia

How much can a koala bear? Aussies forced to shop in inferior Amazon AU

Whisk-y business: How Apache OpenWhisk hole left IBM Cloud Functions at risk of hijacking

Now-patched vulnerability let attackers overwrite code

Hot US deal! IBM wins $83m from Groupon in e-commerce patent spat

Jury rules voucher biz wilfully infringed patents from pre-internet era

Is it OK if we call $53bn-a-quarter Amazon the Bit Barns and Ignoble?

Get it, like Barnes and No– oh, just gimme that beer. It's been 5 o'clock somewhere for hours

Amazon’s Snowball snowballs as Google's clone gets real and IBM's comes to Europe

And now all four big clouds have a rugged FedExNet data upload option