Guides

Learn about how to get started with our products, common concepts you may hear in the travel industry, and other guides to help you along the way.

 

Sabre APIs Supported Ciphers

As part of the ongoing effort to keep Sabre systems secure, we are disabling a set of weak cipher suites for all tier 1 TLS connections. When any external application connects to Sabre using Sabre APIs, it uses HTTPS security based on TLS 1.2 with support for the cipher suites listed below. Some of these cipher suites have known vulnerabilities (3DES' Sweet32, ROBOT) which could be used to access and change the data in route.

On Sep 14th & 16th 2020, Sabre will block all traffic that uses non-compliant ciphers suites.

Sabre is constantly monitoring for new security threats and adjusting our security requirements to keep our systems secure. As part of this, Sabre periodically updates the list of supported cipher suites for connections utilizing Sabre APIs. These connections require TLS 1.2 with at least one of the cipher suites listed in the table in this notification.

Post-change, the only cipher suites that will be enabled on our endpoints will be the ones which are listed below.

Suite Name (OpenSSL) Grouping KeyExch. Encryption (Cipher) Message Authentication Code (MAC) F5 Cipher Order Cipher Suite Name (RFC)
[0xc030] ECDHE-RSA-AES256-GCM-SHA384 Group1 ECDH AESGCM SHA384 1 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
[0xc02f] ECDHE-RSA-AES128-GCM-SHA256 Group1 ECDH AESGCM SHA256 2 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
[0xc028] ECDHE-RSA-AES256-SHA384 Group2 ECDH AES SHA384 3 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
[0xc014] ECDHE-RSA-AES256-CBC-SHA Group3 ECDH AES SHA 4 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
[0xc027] ECDHE-RSA-AES128-SHA256 Group2 ECDH AES SHA256 5 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
[0xc013] ECDHE-RSA-AES128-CBC-SHA Group3 ECDH AES SHA 6 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
[0x9d] AES256-GCM-SHA384 Group4 RSA AESGCM SHA384 7 TLS_RSA_WITH_AES_256_GCM_SHA384
[0x9c] AES128-GCM-SHA256 Group4 RSA AESGCM SHA256 8 TLS_RSA_WITH_AES_128_GCM_SHA256
[0x3d] AES256-SHA256 Group5 RSA AES SHA256 9 TLS_RSA_WITH_AES_256_CBC_SHA256
[0x35] AES256-SHA Group6 RSA AES SHA 10 TLS_RSA_WITH_AES_256_CBC_SHA
[0x3c] AES128-SHA256 Group5 RSA AES SHA256 11 TLS_RSA_WITH_AES_128_CBC_SHA256
[0x2f] AES128-SHA Group6 RSA AES SHA 12 TLS_RSA_WITH_AES_128_CBC_SHA


Action Required: All application owners using Sabre APIs are asked to validate that their application supports one or more of the preferred cipher suites.

On August 26th, 2020, we are running two production rehearsals for PROD that will allow application owners the chance to catalog and remediate any unforeseen effects before the final change on September 16th, 2020.

During the rehearsals, Sabre APIs will stop accepting non-compliant connections. Any products not upgraded to use compliant cipher suites will stop working. Non-compliant connections will be restored at the end of each production rehearsal.

Certification Change: UAT

Start Time: August 13th 2020 at 10:00 AM CDT

End Time: August 13th , 2020 at 12:00 PM CDT

Certification Change : CUAT

Start Time: August 14th 2020 at 10:00 AM CDT

End Time: August 14th , 2020 at 12:00 PM CDT

Certification Change : EUAT

Start Time: August 27th, 2020 at 2:00 AM CDT

Production Rehearsal 1: - Community SHS (e.g. *[services].synxis.com)

Start Time: September 3rd, 2020 at 2:00 AM CDT

End Time: September 3rd, 2020 at 3:00 AM CDT

Production Rehearsal 2: - Community SHS (e.g. *[services].synxis.com)

Start Time: September 3rd, 2020 at 10:00 AM CDT

End Time: September 3rd, 2020 at 11:00 AM CDT

Production Final Change:

Start Time: September 14th, 2020 at 2:00 AM CDT - Community SHS (e.g. *[services].synxis.com)

Start Time: September 16th, 2020 at 2:00 AM CDT - Enterprise SHS (e.g. *[services].sabrehospitality.com)


PCI Security / Weak Cipher Removal Frequently Asked Questions

How do I prepare for this change?

Applications using Sabre APIs must be validated to support one or more of the preferred cipher suites.

How will this impact my systems?

If your application is not in compliance, you will be unable to connect. The error message you receive will vary depending on the programming language, framework, or libraries used. Errors related to establishing secure (often called SSL) HTTP connections are indicators that you are not able to connect using the predefined ciphers. The error message may contain the following strings: SSLHandshakeException, SSLStream, SSLContext, or something similar.

Examples:

javax.net.ssl.SSLHandshakeException: no cipher suites in common.

or

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

Is this a test, or is it permanent?

These changes will be permanent effective September 14th and September 16th 2020.

How can I validate if I'm compliant?

You can test the configuration using the non-production endpoints below:

Who do I contact if I have questions or impacts?

Please contact Sabre Hospitality Solutions Customer Care with questions about this advisory.

Additional references

If your application is Java-based, you may refer to Java Cryptography Architecture Oracle Providers Documentation for JDK 8

What products are compatible with the Cipher Suite ?

Compatibility to most legacy browsers, legacy libraries (still patched) and other application protocols besides https, e.g. IMAPS.

Includes solely PFS ciphers. This cipher suite will phase out SHA-1 and TLSv1, TLSv1.1 for HTTPS in middle-term.

Protocols: TLSv1.3, TLSv1.2, TLSv1.1, TLSv1 (and newer or better).

Oldest known clients that are compatible: Android 2.3.7/4.0.4, Baidu Jan 2015, BingPreview Dec 2013, Chrome 27/Win 7, Chrome 34/OS X, Edge 12/Win 10, Firefox 10.0.12 ESR/Win 7, Firefox 21/Win 7+Fedora 19, Googlebot Oct 2013, IE 7/Vista, IE 10/WinPhone 8.0, Java 7u25, OpenSSL 0.9.8y, Opera 12.15/Win 7, Safari 5/iOS 5.1.1, Safari 5.1.9/macOS 10.6.8, Yahoo Slurp Oct 2013, YandexBot May 2014.