Supported TLS Versions
  • 12 Jun 2025
  • 3 Minutes to read
  • Dark
    Light
  • PDF

Supported TLS Versions

  • Dark
    Light
  • PDF

Article summary

TLS Cipher Suites

OneSpan uses a Web Application Firewall (WAF) and additional protection against Denial-of-Service attacks. This protection is provided through Cloudflare, and OneSpan now uses the inbound IP addresses used by Cloudflare.

OneSpan Sign also uses Transport Layer Security (TLS) cipher suites. Transport Layer Security (TLS) is a protocol that protects the confidentiality and integrity of data exchanged between OneSpan Sign and customers. TLS is a protocol that provides privacy and data integrity between two applications that communicate. It is the most widely used security protocol for web browsers and other applications that require secure data exchange over a network. Through encryption and endpoint-identity verification, TLS ensures that a connection to a remote endpoint is indeed the intended endpoint.

Deprecation of Legacy TLS Ciphers

As part of our ongoing commitment to security we'll be deprecating some legacy TLS ciphers. We will be phasing out the following ciphers on the following dates:

Type

Environment

Phase Out Date

Non-Forward Secrecy ciphers

All Sandbox environments

June 30, 2025

Non-Forward Secrecy ciphers

All other environments

August 30, 2025

CBC ciphers

All Sandbox environments

February 28, 2026

CBC ciphers

All other environments

June 30, 2026

What do I need to do?

We recommend that you start working with your IT team immediately to ensure that your integration framework does not use any of the above-mentioned cipher suites. Once completed, please test your OneSpan Sign Sandbox environment to ensure that all TLS communications are working properly. This is an important step that ensures that your organization does not encounter service disruptions.

TLS 1.3 cipher suites

The following TLS 1.3 cipher suites are supported:

  • TLS13-CHACHA20-POLY1305-SHA256

  • TLS13- AES-256-GCM-SHA384

  • TLS13- AES-128-GCM-SHA256

TLS 1.2 cipher suites

Some of our TLS 1.2 cipher suites will no longer be supported and will be deprecated as per the schedule above. The following table lists the ciphers that will continue to be supported, and those that will be gradually phased out:

Cipher suite

Support Status

ECDHE-RSA-AES128-GCM-SHA256

Supported

ECDHE-RSA-AES256-GCM-SHA384

Supported

AES128-GCM-SHA256

This is a Non-Forward Secrecy cipher suite that will be phased out in 2025

AES128-SHA256

This is a Non-Forward Secrecy cipher suite that will be phased out in 2025

AES256-GCM-SHA384

This is a Non-Forward Secrecy cipher suite that will be phased out in 2025

AES256-SHA256

This is a Non-Forward Secrecy cipher suite that will be phased out in 2025

ECDHE-RSA-AES128-SHA256

This is a CBC cipher suite that will be phased out in 2026

ECDHE-RSA-AES256-SHA384

This is a CBC cipher suite that will be phased out in 2026

Unsupported TLS Versions

As explained in the next section, OneSpan Sign no longer supports the 1.0 and 1.1 versions of TLS.

TLS 1.2 is now the minimum appropriate transport protocol, and TLS 1.3 is strongly recommended.

TLS 1.0 & 1.1 No Longer Supported

Over time, many TLS 1.0 and TLS 1.1 vulnerabilities were uncovered and exploited by attackers. Therefore, TLS 1.0 and TLS 1.1 are no longer considered secure protocols.

Version 2.1 of the OneSpan Sign works only with TLS 1.2.

Security and trust are at the heart of OneSpan Sign's business. To align with industry best practices, we have therefore dropped support for TLS 1.0 and 1.1.

The following table shows when TLS 1.0 was disabled in various OneSpan Sign environments:

U.S. (10.x)

U.S. (11.x)

Canada

Europe

Australia

Sandbox

4 June 2018

4 June 2018

4 June 2018

N/A

N/A

Production

10 Sept. 2018

10 Sept. 2018

10 Sept. 2018

10 Sept. 2018

10 Sept. 2018

TLS 1.1 was disabled in OneSpan Sign's environments on the following dates:

  • Sandbox: March 20 to May 11, 2020

  • Production: June 2 to June 16, 2020

Because OneSpan Sign has disabled TLS 1.0 and 1.1, customers who use those protocols can no longer access OneSpan Sign's e-signature services.

Accordingly, you should already have transitioned your environment to drop TLS 1.0 and 1.1, and enable support for TLS 1.2 or 1.3. You can achieve this by upgrading to the latest Java or .NET environment (and, if you are running an older Microsoft Windows version, by applying the necessary service packs).

For further information, please consult the following articles:


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, our interactive help assistant