- 12 Jun 2025
- 3 Minutes to read
- Print
- DarkLight
- PDF
Supported TLS Versions
- Updated on 12 Jun 2025
- 3 Minutes to read
- Print
- DarkLight
- PDF
TLS Cipher Suites
OneSpan uses a Web Application Firewall (WAF) and additional protection against Denial-of-Service attacks. This protection is provided through Cloudflare, and OneSpan now uses the inbound IP addresses used by Cloudflare.
OneSpan Sign also uses Transport Layer Security (TLS) cipher suites. Transport Layer Security (TLS) is a protocol that protects the confidentiality and integrity of data exchanged between OneSpan Sign and customers. TLS is a protocol that provides privacy and data integrity between two applications that communicate. It is the most widely used security protocol for web browsers and other applications that require secure data exchange over a network. Through encryption and endpoint-identity verification, TLS ensures that a connection to a remote endpoint is indeed the intended endpoint.
Deprecation of Legacy TLS Ciphers
As part of our ongoing commitment to security we'll be deprecating some legacy TLS ciphers. We will be phasing out the following ciphers on the following dates:
Type | Environment | Phase Out Date |
---|---|---|
Non-Forward Secrecy ciphers | All Sandbox environments | June 30, 2025 |
Non-Forward Secrecy ciphers | All other environments | August 30, 2025 |
CBC ciphers | All Sandbox environments | February 28, 2026 |
CBC ciphers | All other environments | June 30, 2026 |
What do I need to do?
We recommend that you start working with your IT team immediately to ensure that your integration framework does not use any of the above-mentioned cipher suites. Once completed, please test your OneSpan Sign Sandbox environment to ensure that all TLS communications are working properly. This is an important step that ensures that your organization does not encounter service disruptions.
TLS 1.3 cipher suites
The following TLS 1.3 cipher suites are supported:
TLS13-CHACHA20-POLY1305-SHA256
TLS13- AES-256-GCM-SHA384
TLS13- AES-128-GCM-SHA256
TLS 1.2 cipher suites
Some of our TLS 1.2 cipher suites will no longer be supported and will be deprecated as per the schedule above. The following table lists the ciphers that will continue to be supported, and those that will be gradually phased out:
Cipher suite | Support Status |
---|---|
ECDHE-RSA-AES128-GCM-SHA256 | Supported |
ECDHE-RSA-AES256-GCM-SHA384 | Supported |
AES128-GCM-SHA256 | This is a Non-Forward Secrecy cipher suite that will be phased out in 2025 |
AES128-SHA256 | This is a Non-Forward Secrecy cipher suite that will be phased out in 2025 |
AES256-GCM-SHA384 | This is a Non-Forward Secrecy cipher suite that will be phased out in 2025 |
AES256-SHA256 | This is a Non-Forward Secrecy cipher suite that will be phased out in 2025 |
ECDHE-RSA-AES128-SHA256 | This is a CBC cipher suite that will be phased out in 2026 |
ECDHE-RSA-AES256-SHA384 | This is a CBC cipher suite that will be phased out in 2026 |
Unsupported TLS Versions
As explained in the next section, OneSpan Sign no longer supports the 1.0 and 1.1 versions of TLS.
TLS 1.2 is now the minimum appropriate transport protocol, and TLS 1.3 is strongly recommended.
TLS 1.0 & 1.1 No Longer Supported
Over time, many TLS 1.0 and TLS 1.1 vulnerabilities were uncovered and exploited by attackers. Therefore, TLS 1.0 and TLS 1.1 are no longer considered secure protocols.
Version 2.1 of the OneSpan Sign works only with TLS 1.2.
Security and trust are at the heart of OneSpan Sign's business. To align with industry best practices, we have therefore dropped support for TLS 1.0 and 1.1.
The following table shows when TLS 1.0 was disabled in various OneSpan Sign environments:
U.S. (10.x) | U.S. (11.x) | Canada | Europe | Australia | |
---|---|---|---|---|---|
Sandbox | 4 June 2018 | 4 June 2018 | 4 June 2018 | N/A | N/A |
Production | 10 Sept. 2018 | 10 Sept. 2018 | 10 Sept. 2018 | 10 Sept. 2018 | 10 Sept. 2018 |
TLS 1.1 was disabled in OneSpan Sign's environments on the following dates:
Sandbox: March 20 to May 11, 2020
Production: June 2 to June 16, 2020
Because OneSpan Sign has disabled TLS 1.0 and 1.1, customers who use those protocols can no longer access OneSpan Sign's e-signature services.
Accordingly, you should already have transitioned your environment to drop TLS 1.0 and 1.1, and enable support for TLS 1.2 or 1.3. You can achieve this by upgrading to the latest Java or .NET environment (and, if you are running an older Microsoft Windows version, by applying the necessary service packs).
For further information, please consult the following articles: