TL:DR; Support for TLS 1.0 and 1.1 will end on Compose on March 1st, 2018. All users of Compose SSL-enabled services are affected.
TLS 1.0 and 1.1 are going away on Compose. As part of an IBM Cloud-wide clear out of the older encryption protocols, on March 1st, 2018, all TLS 1.0 and 1.1 support will be turned off, never to return. That's why we are announcing the change now so customers have plenty of time to upgrade their connections.
Myth: "This doesn't affect us. We use SSL."
It does affect you. SSL was the original name for secure connections on the web but it seamlessly merged with its replacement, TLS and eventually, all the SSL schemes were retired. Treat SSL as a synonym for TLS. At Compose, we still badge services as using SSL, despite the connections actually being TLS, because of that recognition.
Affected services will include Compose's MongoDB, Elasticsearch, PostgreSQL, Redis, RethinkDB, Scylla, RabbitMQ, etcd3, MySQL and JanusGraph where SSL/TLS connections are available and, generally, the default.
Why force an upgrade?
Although no holes have been opened in TLS 1.0 and 1.1, best practice and doubts about their resilience dictate that they need to be retired. There's an industry-wide movement to see them taken out of circulation and to get everyone onto TLS 1.2.
As an aside, TLS 1.3 is currently in draft and this makes it a good time to ensure your connection security is upgradable, ready for when TLS 1.3's faster handshaking and simpler protocol hits the mainstream.
Myth: "This is unprecedented..."
Actually, We've been here before at Compose. Back in April 2016, we removed support for TLS 1.0 connections. This was on the back of a number of security organizations declaring that TLS 1.0 just wasn't good enough for secure communications on the web. That included the PCI Compliance group who removed TLS 1.0 from their list of compliant protocols.
Unfortunately, not everyone was ready to improve their security that time around. So, TLS 1.0 was temporarily restored for users after complaints that a number of drivers were failing to connect because they only supported TLS 1.0. That's left us in 2017 with TLS 1.0 still enabled.
By being part of the IBM Cloud-wide initiative, we aim to ensure your connections to our services are as secure they can be. Over the coming months, we'll be detailing ways you can verify your connections are using TLS 1.2, including how to disable TLS 1.0 and 1.1 usage in your applications. At the same time, we'll be counting down to the big shutdown on March 1st 2018. Remember, Compose will be here to help you make the transition.
Read more articles about Compose databases - use our Curated Collections Guide for articles on each database type. If you have any feedback about this or any other Compose article, drop the Compose Articles team a line at email@example.com. We're happy to hear from you.
attribution Christopher Burns