PCI Mandate

Important! As part of implementing the TLS 1.2 PCI Mandate, Sabre has disabled non-compliant security protocols in all environments as of June 30, 2018. Please take note of the following scheduled changes as it relates to disabling weak ciphers in support of the PCI Mandate.

As part of the ongoing effort to keep Sabre systems secure, we are disabling a set of weak cipher suites for all tier 1 TLS connections. When any external application connects to Sabre using Sabre APIs (Sabre Web Services), it uses HTTPS security based on TLS 1.2 with support for the cipher suites listed below. Some of these cipher suites have known vulnerabilities (3DES’ Sweet32, ROBOT) which could be used to access and change the data in route.


Action Required: All application owners using Sabre APIs are asked to validate that their application supports one or more of the preferred cipher suites below (first table) and are not dependent upon support of the weaker cipher suites (second table).


The following tables shows the complete set of cipher suites currently supported. The items in the first table are considered the preferred strong cipher suites. The items in second table are the weak cipher suites and will be discontinued.

The process to remove the weak ciphers will be conducted in two phases (one for non-production endpoints (TSTS & CERT) and one for production endpoints (PROD)):

  • Non-Prod: November 28, 2018 1:00PM CST
  • Prod: March/April, 2019 (exact date to be defined)

Preferred cipher suite:

Cipher Preference Order Suite Name (OpenSSL) KeyExch. Encryption (Cipher) Message Authentication Code (MAC) Bits Cipher Suite Name (RFC)
1 [0x6b] DHE-RSA-AES256-SHA256 DH AES SHA256 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
2 [0x39] DHE-RSA-AES256-SHA DH AES SHA 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA
3 [0x67] DHE-RSA-AES128-SHA256 DH AES SHA256 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
4 [0x33] DHE-RSA-AES128-SHA DH AES SHA 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA
5 [0xc028] ECDHE-RSA-AES256-SHA384 ECDH AES SHA384 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
6 [0xc014] ECDHE-RSA-AES256-CBC-SHA ECDH AES SHA 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
7 [0xc027] ECDHE-RSA-AES128-SHA256 ECDH AES SHA256 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
8 [0xc013] ECDHE-RSA-AES128-CBC-SHA ECDH AES SHA 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Weak cipher suite (to be discontinued):

Cipher Preference Order Suite Name (OpenSSL) KeyExch. Encryption (Cipher) Message Authentication Code (MAC) Bits Cipher Suite Name (RFC) Action
9 [0x16] DHE-RSA-DES-CBC3-SHA DH 3DES SHA 168 TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA Remove - 3DES
10 [0x3d] AES256-SHA256 RSA AES SHA256 256 TLS_RSA_WITH_AES_256_CBC_SHA256 Remove - ROBOT
11 [0x35] AES256-SHA RSA AES SHA 256 TLS_RSA_WITH_AES_256_CBC_SHA Remove - ROBOT
12 [0x3c] AES128-SHA256 RSA AES SHA256 128 TLS_RSA_WITH_AES_128_CBC_SHA256 Remove - ROBOT
13 [0x2f] AES128-SHA RSA AES SHA 128 TLS_RSA_WITH_AES_128_CBC_SHA Remove - ROBOT
14 [0x0a] DES-CBC3-SHA RSA 3DES SHA 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA Remove - 3DES
15 [0xc012] ECDHE-RSA-DES-CBC3-SHA ECDH 3DES SHA 168 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA Remove - 3DES

PCI Security / Weak Cipher Removal Frequently Asked Questions

As part of the ongoing effort to keep Sabre systems secure, we are disabling a set of weak cipher suites for all tier 1 TLS connections. Some of these cipher suites have known vulnerabilities (3DES’ Sweet32, ROBOT) which could be used to access and change the data in route.
Application owners using Sabre APIs (Sabre Web Services) are asked to validate their application supports one or more of the preferred cipher suites (first table) and are not dependent upon support of the weaker cipher suites (second table).
Please contact the Sabre API Support desk with questions about this advisory.
If your application is not in compliance, you will be unable to connect. The error message you receive will vary depending on the programming language, framework, or libraries used. Errors related to establishing secure (often called SSL) http connections are indicators that you are not able to connect using the predefined ciphers. The error message may contain the following strings: SSLHandshakeException, SSLStream, SSLContext or something similar.

Examples:

javax.net.ssl.SSLHandshakeException: no cipher suites in common

or

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

These changes will be permanent.
Yes, these changes are planned for all Sabre APIs endpoints (environments).
After the November 28th change (removing the weak cipher suites in non-production environments) you can test your configuration using the non-production endpoints:
  • SOAP APIs: https://sws-crt.cert.havail.sabre.com
  • REST APIs: https://api-crt.cert.havail.sabre.com

Additional references:

PCI Mandate reference

3DES Vulnerability

ROBOT Vulnerability

If you application is Java based you may refer to Java Cryptography Architecture Oracle Providers Documentation for JDK 8

Docs Navigation