Sabre APIs Supported Ciphers
As part of the ongoing effort to keep Sabre systems secure, we are disabling a set of weak cipher suites for all tier 1 TLS connections. When any external application connects to Sabre using Sabre APIs, it uses HTTPS security based on TLS 1.2 with support for the cipher suites listed below. Some of these cipher suites have known vulnerabilities (3DES' Sweet32, ROBOT) which could be used to access and change the data in route.
Sabre will block all traffic that uses non-compliant ciphers suites.
Sabre is constantly monitoring for new security threats and adjusting our security requirements to keep our systems secure. As part of this, Sabre periodically updates the list of supported cipher suites for connections utilizing Sabre APIs. These connections require TLS 1.2 with at least one of the cipher suites listed in the table in this notification.
The only cipher suites that will be enabled on our endpoints will be the ones which are listed below.
| Suite | Name (OpenSSL) | Grouping | KeyExch. | Encryption (Cipher) | Message Authentication Code (MAC) | F5 Cipher Order | Cipher Suite Name (RFC) |
|---|---|---|---|---|---|---|---|
| [0xc030] | ECDHE-RSA-AES256-GCM-SHA384 | Group1 | ECDH | AESGCM | SHA384 | 1 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
| [0xc02f] | ECDHE-RSA-AES128-GCM-SHA256 | Group1 | ECDH | AESGCM | SHA256 | 2 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
| [0xc028] | ECDHE-RSA-AES256-SHA384 | Group2 | ECDH | AES | SHA384 | 3 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
| [0xc014] | ECDHE-RSA-AES256-CBC-SHA | Group3 | ECDH | AES | SHA | 4 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA |
| [0xc027] | ECDHE-RSA-AES128-SHA256 | Group2 | ECDH | AES | SHA256 | 5 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
| [0xc013] | ECDHE-RSA-AES128-CBC-SHA | Group3 | ECDH | AES | SHA | 6 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA |
| [0x9d] | AES256-GCM-SHA384 | Group4 | RSA | AESGCM | SHA384 | 7 | TLS_RSA_WITH_AES_256_GCM_SHA384 |
| [0x9c] | AES128-GCM-SHA256 | Group4 | RSA | AESGCM | SHA256 | 8 | TLS_RSA_WITH_AES_128_GCM_SHA256 |
| [0x3d] | AES256-SHA256 | Group5 | RSA | AES | SHA256 | 9 | TLS_RSA_WITH_AES_256_CBC_SHA256 |
| [0x35] | AES256-SHA | Group6 | RSA | AES | SHA | 10 | TLS_RSA_WITH_AES_256_CBC_SHA |
| [0x3c] | AES128-SHA256 | Group5 | RSA | AES | SHA256 | 11 | TLS_RSA_WITH_AES_128_CBC_SHA256 |
| [0x2f] | AES128-SHA | Group6 | RSA | AES | SHA | 12 | TLS_RSA_WITH_AES_128_CBC_SHA |
Action Required: All application owners using Sabre APIs are asked to validate that their application supports one or more of the preferred cipher suites.
PCI Security / Weak Cipher Removal Frequently Asked Questions
How will this impact my systems?
If your application is not in compliance, you will be unable to connect. The error message you receive will vary depending on the programming language, framework, or libraries used. Errors related to establishing secure (often called SSL) HTTP connections are indicators that you are not able to connect using the predefined ciphers. The error message may contain the following strings: SSLHandshakeException, SSLStream, SSLContext, or something similar.
Examples:
javax.net.ssl.SSLHandshakeException: no cipher suites in common.
or
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
How can I validate if I'm compliant?
You can test the configuration using the non-production endpoints below:
-
SOAP APIs: https://integcert.synxis.com or https://interface.cuat.synxis.com
-
REST APIs: https://bus-cuat.synxis.com
Who do I contact if I have questions or impacts?
Please contact Sabre Hospitality Solutions Customer Care with questions.
Additional references
If your application is Java-based, you may refer to Java Cryptography Architecture Oracle Providers Documentation for JDK 8
What products are compatible with the Cipher Suite ?
Compatibility to most legacy browsers, legacy libraries (still patched) and other application protocols besides https, e.g. IMAPS.
Includes solely PFS ciphers. This cipher suite will phase out SHA-1 and TLSv1, TLSv1.1 for HTTPS in middle-term.
Protocols: TLSv1.3, TLSv1.2, TLSv1.1, TLSv1 (and newer or better).
Oldest known clients that are compatible: Android 2.3.7/4.0.4, Baidu Jan 2015, BingPreview Dec 2013, Chrome 27/Win 7, Chrome 34/OS X, Edge 12/Win 10, Firefox 10.0.12 ESR/Win 7, Firefox 21/Win 7+Fedora 19, Googlebot Oct 2013, IE 7/Vista, IE 10/WinPhone 8.0, Java 7u25, OpenSSL 0.9.8y, Opera 12.15/Win 7, Safari 5/iOS 5.1.1, Safari 5.1.9/macOS 10.6.8, Yahoo Slurp Oct 2013, YandexBot May 2014.