Sabre APIs Supported Ciphers
As part of the ongoing effort to keep Sabre systems secure, we are disabling a set of weak cipher suites for all tier 1 TLS connections. When any external application connects to Sabre using Sabre APIs (Sabre Web Services), it uses HTTPS security based on TLS 1.2 with support for the cipher suites listed below. Some of these cipher suites have known vulnerabilities (3DES' Sweet32, ROBOT) which could be used to access and change the data in route.
On July 12, 2020, Sabre will block all traffic that uses non-compliant ciphers suites.
Action Required: All application owners using Sabre APIs are asked to validate that their application supports one or more of the preferred cipher suites.
Back in November of 2018, Sabre disabled weak cipher suites in the non-production environment (CERT), application owners are advised to test system integration with Sabre by connecting and validating in the non-production environment.
On June 20, 2020, we are running two production rehearsals for PROD that will allow application owners the chance to catalog and remediate any unforeseen effects before the final change on July 12th, 2020. During the rehearsals, Sabre APIs will stop accepting non-compliant connections. Any products not upgraded to use compliant cipher suites will stop working. Non-compliant connections will be restored at the end of each production rehearsal.
Production Rehearsal 1 (PROD): Start Time: June 20, 2020 at 1000 CDT (1500 GMT) End Time: June 20, 2020 at 1100 CDT (1600 GMT)
Production Rehearsal 2 (PROD): Start Time: June 20, 2020 at 1800 CDT (2300 GMT) End Time: June 20, 2020 at 1900 CDT (June 21, 2020 at 0000 GMT)
Final Change (PROD): July 12, 2020 at 1000 CDT (1500 GMT)
Sabre will support the following preferred ciphers:
Suite | Name (OpenSSL) | KeyExch. | Encryption (Cipher) | Message Authentication Code (MAC) | Bits | Cipher Suite Name (RFC) |
---|---|---|---|---|---|---|
[0xc028] | ECDHE-RSA-AES256-SHA384 | ECDH | AES | SHA384 | 256 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 |
[0xc027] | ECDHE-RSA-AES128-SHA256 | ECDH | AES | SHA256 | 128 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 |
[0xc030] | ECDHE-RSA-AES256-GCM-SHA384 | ECDH | AESGCM | SHA384 | 256 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 |
[0xc02f] | ECDHE-RSA-AES128-GCM-SHA256 | ECDH | AESGCM | SHA256 | 128 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 |
PCI Security / Weak Cipher Removal Frequently Asked Questions
Why is Sabre doing this?
As part of the ongoing effort to keep Sabre systems secure, we are disabling a set of weak cipher suites for all tier 1 TLS connections. Some of these cipher suites have known vulnerabilities (3DES' Sweet32, ROBOT), which could be used to access and change the data en route.
How do I prepare for this change?
Applications using Sabre APIs must be validated to support one or more of the preferred cipher suites.
Who do I contact if I have questions or impacts?
Please contact the Sabre API Support Desk with questions about this advisory.
How will this impact my systems?
If your application is not in compliance, you will be unable to connect. The error message you receive will vary depending on the programming language, framework, or libraries used. Errors related to establishing secure (often called SSL) HTTP connections are indicators that you are not able to connect using the predefined ciphers. The error message may contain the following strings: SSLHandshakeException
, SSLStream
, SSLContext
, or something similar.
Examples:
javax.net.ssl.SSLHandshakeException: no cipher suites in common.
or
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Is this a test, or is it permanent?
These changes will be permanent effective July 12, 2020, at 1000 CDT (1500 GMT).
How can I validate if I'm compliant?
You can test the configuration using the non-production endpoints below:
- SOAP APIs: https://webservices.cert.platform.sabre.com/
- REST APIs: https://api.cert.platform.sabre.com/
Additional references
If your application is Java-based, you may refer to Java Cryptography Architecture Oracle Providers Documentation for JDK 8