Important! As part of implementing the TLS 1.2 PCI Mandate, Sabre has disabled non-compliant security protocols in all environments as of June 30, 2018. Please take note of the following scheduled changes as it relates to disabling weak ciphers in support of the PCI Mandate.
As part of the ongoing effort to keep Sabre systems secure, we are disabling a set of weak cipher suites for all tier 1 TLS connections. When any external application connects to Sabre using Sabre APIs (Sabre Web Services), it uses HTTPS security based on TLS 1.2 with support for the cipher suites listed below. Some of these cipher suites have known vulnerabilities (3DES' Sweet32, ROBOT) which could be used to access and change the data in route.
Action Required: All application owners using Sabre APIs are asked to validate that their application supports one or more of the preferred cipher suites below (first table) and are not dependent upon the support of the weaker cipher suites (second table).
The following tables show the complete set of cipher suites currently supported. The items in the first table are considered the preferred strong cipher suites. The items in the second table are the weak cipher suites and will be discontinued.
- Non-Prod: November 28, 2018 1:00PM CST (completed)
- Prod: October 29, 2019 (extact time tbd)
|Cipher Preference Order||Suite||Name (OpenSSL)||KeyExch.||Encryption (Cipher)||Message Authentication Code (MAC)||Bits||Cipher Suite Name (RFC)|
|Cipher Preference Order||Suite||Name (OpenSSL)||KeyExch.||Encryption (Cipher)||Message Authentication Code (MAC)||Bits||Cipher Suite Name (RFC)||Action|
|9||[0x16]||DHE-RSA-DES-CBC3-SHA||DH||3DES||SHA||168||TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA||Remove - 3DES|
|10||[0x3d]||AES256-SHA256||RSA||AES||SHA256||256||TLS_RSA_WITH_AES_256_CBC_SHA256||Remove - ROBOT|
|11||[0x35]||AES256-SHA||RSA||AES||SHA||256||TLS_RSA_WITH_AES_256_CBC_SHA||Remove - ROBOT|
|12||[0x3c]||AES128-SHA256||RSA||AES||SHA256||128||TLS_RSA_WITH_AES_128_CBC_SHA256||Remove - ROBOT|
|13||[0x2f]||AES128-SHA||RSA||AES||SHA||128||TLS_RSA_WITH_AES_128_CBC_SHA||Remove - ROBOT|
|14||[0x0a]||DES-CBC3-SHA||RSA||3DES||SHA||168||TLS_RSA_WITH_3DES_EDE_CBC_SHA||Remove - 3DES|
|15||[0xc012]||ECDHE-RSA-DES-CBC3-SHA||ECDH||3DES||SHA||168||TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA||Remove - 3DES|
As part of the ongoing effort to keep Sabre systems secure, we are disabling a set of weak cipher suites for all tier 1 TLS connections. Some of these cipher suites have known vulnerabilities (3DES' Sweet32, ROBOT) which could be used to access and change the data in route.
Application owners using Sabre APIs (Sabre Web Services) are asked to validate their application supports one or more of the preferred cipher suites (first table) and are not dependent upon the support of the weaker cipher suites (second table).
Please contact the Sabre API Support desk with questions about this advisory.
If your application is not in compliance, you will be unable to connect. The error message you receive will vary depending on the programming language, framework, or libraries used. Errors related to establishing secure (often called SSL) HTTP connections are indicators that you are not able to connect using the predefined ciphers. The error message may contain the following strings: SSLHandshakeException, SSLStream, SSLContext or something similar.
javax.net.ssl.SSLHandshakeException: no cipher suites in common
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
These changes will be permanent.
Potentially yes, these changes are planned for all Sabre APIs production endpoints (environments), but they have been completed in non-production environments on November 28th, 2019.
After the November 28th, 2018 change (removing the weak cipher suites in non-production environments) you can test your configuration using the non-production endpoints:
If you application is Java-based you may refer to Java Cryptography Architecture Oracle Providers Documentation for JDK 8