As a part of our ongoing commitment to monitoring and improving security, we are preparing to deprecate the usage of TLS 1.0 and TLS 1.1 on all of our services, and update the list of supported cipher suites.

We are planning to make these changes on June 1st, 2019. After this date, connections using TLS versions 1.0 and 1.1 will no longer be possible.

We are in the process of contacting a number of clients, where we have been able to identify API requests made using TLS versions 1.0 or 1.1. But, we recommend that all clients using the API verify that they are able to support TLS 1.2.

How will this affect you and your clients?

If you are connecting to our API, then you will need to ensure that your systems and network libraries support making connections using TLS 1.2, and support compatible ciphers. This change will not have any impact on the connection between your clients and your services. If your clients are directly interacting with our website (including via an iframe or whitelabel), then they will only be able to connect if their browser supports TLS 1.2. All common browsers released in the last 5 years support this standard by default. (See https://caniuse.com/#feat=tls1-2)

How can I test that I will still be able to connect?

We have set up test environments for both BankStatements and BankFeeds services which only allow TLS 1.2 connections, matching the planned settings for the production change. These urls are listed below. We recommend that you temporarily configure your test environments to connect to these domains, to ensure connectivity is achieved.

• BankStatement test domain: https://secure-test.bankstatements.com.au
• BankFeeds test domain: https://secure-apitest.bankfeeds.com.au

There are also external services which may be helpful in helping to understand issues with SSL/TLS. One such example is howsmyssl.com which provide a free API which will return a JSON response detailing the TLS capabilities of the client.

What ciphers will be supported?

Together with this change, we will be making a slight adjustment to the list of supported ciphers. The list of supported ciphers is listed below. Cipher names are not always consistent between different libraries, so we recommend verifying that you can connect to the test domains mentioned above to ensure cipher compatability.

• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-ECDSA-AES128-SHA256
• ECDHE-RSA-AES128-SHA256
• ECDHE-ECDSA-AES256-GCM-SHA384
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-ECDSA-AES256-SHA384
• ECDHE-RSA-AES256-SHA384
• AES128-GCM-SHA256
• AES128-SHA256
• AES256-GCM-SHA384
• AES256-SHA256

What about TLS 1.3?

TLS version 1.3 is a relatively new standard, and is not yet supported by various parts of our infrastructure. We are monitoring this closely, and look forward to being able to enable TLS 1.3 support in the near future.

Please get in touch if you have any additional questions relating to this change.