COMPLETED: Transport Layer Security (TLS) 1.0 and 1.1 are deprecated on all Symantec VIP URLs
search cancel

COMPLETED: Transport Layer Security (TLS) 1.0 and 1.1 are deprecated on all Symantec VIP URLs

book

Article ID: 245528

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

VIP service has disabled TLS 1.0 and 1.1 protocols on all VIP endpoints and APIs on Sept 22, 2023. Only TLS 1.2 and TLS 1.3 protocols are supported on VIP API URLs, including Enterprise Gateway and VIP Web Service API endpoints. TLS 1.2 is supported on VIP Web portals.

Resolution

Transport Layer Security (TLS) v1.0, 1.1, and 1.2 are security protocols for establishing encryption channels over computer networks. TLS v1.2 is the only supported TLS version on the VIP Web Portals, and TLS v1.2 and 1.3 is supported on the VIP API endpoints.  

TLS 1.2 and 1.3 are the supported protocols on the following VIP API endpoints:

  • services-auth.vip.symantec.com
  • services.vip.symantec.com
  • userservices-auth.vip.symantec.com
  • userservices.vip.symantec.com
  • goidservices-auth.vip.symantec.com
  • liveupdate.symantecliveupdate.com
  • liveupdate.symantec.com
  • api-auth.vip.symantec.com 
  • reporting-auth.vip.symantec.com
  • login.vip.symantec.com
  • messaging.vip.symantec.com
  • services-auth.vip.symantec.com/prov/soap

TLS 1.2 is the supported protocol on the following VIP Web URLs:

  • manager.vip.symantec.com (VIP Manager)
  • ssp.vip.symantec.com (VIP Self-Service Portal)
  • my.vip.symantec.com (My VIP)
  • vip.symantec.com (VIP token information)

What Cipher Suites are supported?

In preferred order:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)

How can I be notified of any future VIP changes?
Receive notifications by subscribing to the Symantec VIP status page. Click Subscribe at the top of the page, select the delivery method, then select all sub-components under VIP. De-select other components if you don't want notifications from those products. (See: Signing up for VIP Service alerts

Additional Information

TESTING TLS 1.2 CONNECTIVITY

METHOD 1

Use Wireshark (or another packet capturing tool) to determine what protocol is used when your application connects to VIP Services:

  • Determine the VIP URL in the application and the IP address it resolves to. In this example, the VIP plugin for AD FS is calling userservices-auth.vip.symantec.com. The IP address can be anything in the 144.49.x.x range: 

  • Launch Wireshark. While capturing traffic, perform a successful VIP Authentication, then filter the results by the IP address.

    Sample of supported TLS 1.2:

 

 

Powered by Wolken Software