Data Centre

Cloud

IBM figures out it takes longer than a week to re-wire software

New TLS 1.0 turnoff offers three months warning, reprieve if you'd rather remain insecure

By Simon Sharwood

10 SHARE

IBM has announced it will again try to wean its cloud off the known-to-be-insecure TLS 1.0 and 1.1, but will also keep them available for some services.

Big Blue has to try again because its first attempt gave users just a week to prepare. Users quickly complained that was nowhere near enough time to set their houses in order. Some even missed the news and found the sudden change disruptive.

IBM therefore admitted that "not enough lead time was given to allow all customers to migrate off reliance on TLS 1.0" and confessed that “This removal of this support caused issues with code reliant on that support”. The company therefore turned TLS 1.0 and 1.1 off and turned it on again to set things right.

Now the company's set the date for the final cutover: Thursday, March 1, 2018, at 0900 UTC.

At that moment, Big Blue's email foreshadowed, “IBM Cloud will stop supporting TLS 1.0 and 1.1 on api.softlayer.com and api.service.softlayer.com … these API endpoints will only support callers using TLS 1.2 encryption levels or higher.”

The changeover will impact “[a]ny users with code or services that reference the softlayer.com API endpoints for IBM Cloud Infrastructure services with encryption levels older than TLS 1.2.”

“Successfully testing your code and services against these alternative endpoints means your code and services will work properly on the transition date,” IBM has advised.

But the company has also pledged a lifeline for those who absolutely must keep using old and bad versions of TLS: a troubleshooting guide says: "Some products and services are making alternate endpoints available that will continue to support TLS 1.0 and 1.1 after TLS 1.0 and 1.1 are removed from the primary endpoints."

The Register imagines some users of those services must have such complex software that they just can't unpick it, because TLS 1.0 and 1.1 were smashed in the year 2011.

The algorithms remain very widely deployed and have proven hard to winkle out of every implementation. So much so that even in dangerous locations like point of sale where security is paramount, the PCI Council decided to extend the end-of-use date because of the massive effort required to upgrade or replace equipment.

IBM was likely aware of that extension, making it even odder that a company with its heritage in enterprise technology would think that a week is enough time to get the job done. ®

Sign up to our NewsletterGet IT in your inbox daily

10 Comments

More from The Register

Apache Hadoop spins cracking code injection vulnerability YARN

Loose .zips sink chips 2: Electric Boogaloo

Big Blue shoos Db2 blues before rogue staff turn the screws in hijack ruse (translation: patch your IBM databases)

Buffer overflow flaw could lead to privilege escalation

Amazon tried to entice Latin American officials with $5m in Kindles, AWS credits for .amazon

Brazil, Peru snub cheap gifts, refuse to unblock dot-word

WebSphere and loathing in New York: IBM yanks buggy application server security fix from admins

Patched server, or working server. Pick one...

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

IBM spits out one cloud manager to rule them all

Cross-platform? Sure, but there's still no place like home

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

Automated Weather Source didn't see this cloud coming: Amazon snatches up AWS.com

Uh, we'll be having that domain

Groupon to pay IBM $57m after getting money off e-commerce patent settlement

Big Blue will 'consider' giving staff access to e-voucher biz offers through corporate plan

'Massage parlour' location looks like Amazon stealth-testing secret new wireless network

Happy ending? Nope. Big seller, small cells – report