Sabre APIs Supported Ciphers
As part of the ongoing effort to keep Sabre systems secure, we are disabling a set of weak cipher suites for all tier 1 TLS connections. When any external application connects to Sabre using Sabre APIs, it uses HTTPS security based on TLS 1.2 with support for the cipher suites listed below. Some of these cipher suites have known vulnerabilities (3DES' Sweet32, ROBOT) which could be used to access and change the data in route.
On Sep 14th & 16th 2020, Sabre will block all traffic that uses non-compliant ciphers suites.
Sabre is constantly monitoring for new security threats and adjusting our security requirements to keep our systems secure. As part of this, Sabre periodically updates the list of supported cipher suites for connections utilizing Sabre APIs. These connections require TLS 1.2 with at least one of the cipher suites listed in the table in this notification.
Post-change, the only cipher suites that will be enabled on our endpoints will be the ones which are listed below.
Suite | Name (OpenSSL) | Grouping | KeyExch. | Encryption (Cipher) | Message Authentication Code (MAC) | F5 Cipher Order | Cipher Suite Name (RFC) |
---|---|---|---|---|---|---|---|
[0xc030] | ECDHE-RSA-AES256-GCM-SHA384 | Group1 | ECDH | AESGCM | SHA384 | 1 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
[0xc02f] | ECDHE-RSA-AES128-GCM-SHA256 | Group1 | ECDH | AESGCM | SHA256 | 2 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
[0xc028] | ECDHE-RSA-AES256-SHA384 | Group2 | ECDH | AES | SHA384 | 3 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
[0xc014] | ECDHE-RSA-AES256-CBC-SHA | Group3 | ECDH | AES | SHA | 4 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
[0xc027] | ECDHE-RSA-AES128-SHA256 | Group2 | ECDH | AES | SHA256 | 5 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
[0xc013] | ECDHE-RSA-AES128-CBC-SHA | Group3 | ECDH | AES | SHA | 6 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
[0x9d] | AES256-GCM-SHA384 | Group4 | RSA | AESGCM | SHA384 | 7 | TLS_RSA_WITH_AES_256_GCM_SHA384 |
[0x9c] | AES128-GCM-SHA256 | Group4 | RSA | AESGCM | SHA256 | 8 | TLS_RSA_WITH_AES_128_GCM_SHA256 |
[0x3d] | AES256-SHA256 | Group5 | RSA | AES | SHA256 | 9 | TLS_RSA_WITH_AES_256_CBC_SHA256 |
[0x35] | AES256-SHA | Group6 | RSA | AES | SHA | 10 | TLS_RSA_WITH_AES_256_CBC_SHA |
[0x3c] | AES128-SHA256 | Group5 | RSA | AES | SHA256 | 11 | TLS_RSA_WITH_AES_128_CBC_SHA256 |
[0x2f] | AES128-SHA | Group6 | RSA | AES | SHA | 12 | TLS_RSA_WITH_AES_128_CBC_SHA |
Action Required: All application owners using Sabre APIs are asked to validate that their application supports one or more of the preferred cipher suites.
On August 26th, 2020, we are running two production rehearsals for PROD that will allow application owners the chance to catalog and remediate any unforeseen effects before the final change on September 16th, 2020.
During the rehearsals, Sabre APIs will stop accepting non-compliant connections. Any products not upgraded to use compliant cipher suites will stop working. Non-compliant connections will be restored at the end of each production rehearsal.
Certification Change: UAT
Start Time: August 13th 2020 at 10:00 AM CDT
End Time: August 13th , 2020 at 12:00 PM CDT
Certification Change : CUAT
Start Time: August 14th 2020 at 10:00 AM CDT
End Time: August 14th , 2020 at 12:00 PM CDT
Certification Change : EUAT
Start Time: August 27th, 2020 at 2:00 AM CDT
Production Rehearsal 1: - Community SHS (e.g. *[services].synxis.com)
Start Time: September 3rd, 2020 at 2:00 AM CDT
End Time: September 3rd, 2020 at 3:00 AM CDT
Production Rehearsal 2: - Community SHS (e.g. *[services].synxis.com)
Start Time: September 3rd, 2020 at 10:00 AM CDT
End Time: September 3rd, 2020 at 11:00 AM CDT
Production Final Change:
Start Time: September 14th, 2020 at 2:00 AM CDT - Community SHS (e.g. *[services].synxis.com)
Start Time: September 16th, 2020 at 2:00 AM CDT - Enterprise SHS (e.g. *[services].sabrehospitality.com)
PCI Security / Weak Cipher Removal Frequently Asked Questions
How do I prepare for this change?
Applications using Sabre APIs must be validated to support one or more of the preferred cipher suites.
How will this impact my systems?
If your application is not in compliance, you will be unable to connect. The error message you receive will vary depending on the programming language, framework, or libraries used. Errors related to establishing secure (often called SSL) HTTP connections are indicators that you are not able to connect using the predefined ciphers. The error message may contain the following strings: SSLHandshakeException
, SSLStream
, SSLContext
, or something similar.
Examples:
javax.net.ssl.SSLHandshakeException: no cipher suites in common.
or
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Is this a test, or is it permanent?
These changes will be permanent effective September 14th and September 16th 2020.
How can I validate if I'm compliant?
You can test the configuration using the non-production endpoints below:
-
SOAP APIs: https://integcert.synxis.com or https://interface.cuat.synxis.com
-
REST APIs: https://bus-cuat.synxis.com
Who do I contact if I have questions or impacts?
Please contact Sabre Hospitality Solutions Customer Care with questions about this advisory.
Additional references
If your application is Java-based, you may refer to Java Cryptography Architecture Oracle Providers Documentation for JDK 8
What products are compatible with the Cipher Suite ?
Compatibility to most legacy browsers, legacy libraries (still patched) and other application protocols besides https, e.g. IMAPS.
Includes solely PFS ciphers. This cipher suite will phase out SHA-1 and TLSv1, TLSv1.1 for HTTPS in middle-term.
Protocols: TLSv1.3, TLSv1.2, TLSv1.1, TLSv1 (and newer or better).
Oldest known clients that are compatible: Android 2.3.7/4.0.4, Baidu Jan 2015, BingPreview Dec 2013, Chrome 27/Win 7, Chrome 34/OS X, Edge 12/Win 10, Firefox 10.0.12 ESR/Win 7, Firefox 21/Win 7+Fedora 19, Googlebot Oct 2013, IE 7/Vista, IE 10/WinPhone 8.0, Java 7u25, OpenSSL 0.9.8y, Opera 12.15/Win 7, Safari 5/iOS 5.1.1, Safari 5.1.9/macOS 10.6.8, Yahoo Slurp Oct 2013, YandexBot May 2014.