IBM figures out it takes longer than a week to re-wire software

New TLS 1.0 turnoff offers three months warning, reprieve if you'd rather remain insecure

By Simon Sharwood, APAC Editor

Posted in Cloud, 29th November 2017 08:32 GMT

IBM has announced it will again try to wean its cloud off the known-to-be-insecure TLS 1.0 and 1.1, but will also keep them available for some services.

Big Blue has to try again because its first attempt gave users just a week to prepare. Users quickly complained that was nowhere near enough time to set their houses in order. Some even missed the news and found the sudden change disruptive.

IBM therefore admitted that "not enough lead time was given to allow all customers to migrate off reliance on TLS 1.0" and confessed that “This removal of this support caused issues with code reliant on that support”. The company therefore turned TLS 1.0 and 1.1 off and turned it on again to set things right.

Now the company's set the date for the final cutover: Thursday, March 1, 2018, at 0900 UTC.

At that moment, Big Blue's email foreshadowed, “IBM Cloud will stop supporting TLS 1.0 and 1.1 on api.softlayer.com and api.service.softlayer.com … these API endpoints will only support callers using TLS 1.2 encryption levels or higher.”

The changeover will impact “[a]ny users with code or services that reference the softlayer.com API endpoints for IBM Cloud Infrastructure services with encryption levels older than TLS 1.2.”

“Successfully testing your code and services against these alternative endpoints means your code and services will work properly on the transition date,” IBM has advised.

But the company has also pledged a lifeline for those who absolutely must keep using old and bad versions of TLS: a troubleshooting guide says: "Some products and services are making alternate endpoints available that will continue to support TLS 1.0 and 1.1 after TLS 1.0 and 1.1 are removed from the primary endpoints."

The Register imagines some users of those services must have such complex software that they just can't unpick it, because TLS 1.0 and 1.1 were smashed in the year 2011.

The algorithms remain very widely deployed and have proven hard to winkle out of every implementation. So much so that even in dangerous locations like point of sale where security is paramount, the PCI Council decided to extend the end-of-use date because of the massive effort required to upgrade or replace equipment.

IBM was likely aware of that extension, making it even odder that a company with its heritage in enterprise technology would think that a week is enough time to get the job done. ®

Sign up to our NewsletterGet IT in your inbox daily

10 Comments

More from The Register

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry

Amazon can't or won't collect sales tax in Australia

How much can a koala bear? Aussies forced to shop in inferior Amazon AU

Amazon warns you have 30 days before Music Storage files bloodbath

Jeff Bezos will do to your MP3s what he did to your bookstore

Konichiw-aaaaargh! Amazon's Japanese HQ raided in antitrust probe

Bezos Bunch under the microscope of anti-monopoly cops

Knock, knock. Who’s there? Another Amazon Key door-lock hack

Video Little box of tricks can let crooks sneak in after a delivery

Town wants Amazon's new HQ so much it plans to split off new town called 'Amazon'

At last, the leadership America desperately needs

Amazon: For every dollar of op. profit going into Bezos' pockets, 73 cents came from AWS

It's pretty much a cloud provider with a gift shop on the side

French gov files €10m complaint: Claims Amazon abused dominance

Probe found unfair contracts for sellers

Amazon scam trio primed for prison stretch after million-dollar fraud

Defected goods hustle brought in big bucks – for a while