Avalara TLS 1.2 support security

Avalara TLS 1.2 Adoption Closes Security Risks for Customers

Avalara will stop providing support for TLS versions 1.0 and 1.1. To ensure a seamless and secure experience,

Avalara will stop providing support for TLS versions 1.0 and 1.1. To ensure a seamless and secure experience, Avalara will only support only TLS 1.2 moving forward. Read on for details regarding system vulnerabilities and important dates relating to the changes in support.

What is TLS?

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. TLS is the successor to the now deprecated Secure Sockets Layer (SSL) as a means of securing data exchanged between parties online.

Like every other software in use today, regular updates ensure its viability and mitigation of vulnerabilities in the face of nefarious actors. The most current version of the technology is TLS 1.2.

Disabling TLS 1.0 and TLS 1.1 is a prevalent industry approach as documented in the below NSA datasheet. This is a communication protocol that many technical specialists are familiar with, so the rationale behind Avalara disabling these versions should not come as a surprise to customers and should be expected.

For additional context please see the National Security Agency’s (NSA) Cybersecurity Information datasheet.

Avalara TLS 1.2 Service Changes

Effective 15 December 2021, Avalara will support only the secure Transport Layer Security (TLS) 1.2 connection in Sandbox accounts. All Avalara AvaTax for Communications SaaS REST and SOAP customers, Geo customers, and SaaS Standard customers must upgrade their Sandbox accounts from TLS 1.0 and TLS 1.1 to TLS 1.2 before 15 December 2021. Failing to upgrade will affect the access and connection to your Avalara account.

Effective 15 January 2022, Avalara will support only the secure Transport Layer Security (TLS) 1.2 connection in Production accounts. All Avalara AvaTax for Communications SaaS REST and SOAP customers, Geo customers, and SaaS Standard customers must upgrade their Production accounts from TLS 1.0 and TLS 1.1 to TLS 1.2 before 15 January 2022. Failing to upgrade will affect the access and connection to your Avalara account.

Important Dates for Avalara TLS 1.2 Cutover

As Avalara continues to improve our security protocols, we will no longer support TLS 1.0 and 1.1 in our REST v2 API as of March 30, 2022. Continued use of TLS 1.0 and 1.1 poses a security risk, and these protocols will no longer be supported.

Clients using these versions are expected to upgrade to support our new standards of TLS 1.2.

This deprecation will affect non-browser software, APIs, and other internet infrastructure, so partners and customers who are not yet using TLS 1.2 should plan accordingly.

This change will take effect in our REST v2 API on the following dates:

Sandbox: Feb 1, 2022

Production: March 30, 2022

What Do You Need to Do as an Avalara User?

Avalara’s connectors are equipped to auto-negotiate using TLS.  You don’t need to change anything in your systems to use a TLS connector.

NOTE: Apple, Google, Microsoft, and Mozilla will disable Transport Layer Security (TLS) 1.0 and 1.1 support in their respective browsers in the first half of 2020.

    • The primary AvaTax endpoint supports TLS 1.2, 1.1, and 1.0 (1.1 and 1.0 until deprecation in the first half of 2020).
    • If your connector supports TLS 1.2 they should be able to negotiate over security protocol without any issues. Please use TLS 1.2 as your default.

What happens on March 31, 2022?

Avalara will discontinue support for Transport Layer Security (TLS) versions 1.0 and 1.1 on our Production RESTv2 API endpoint on 3/31/2022.

What about the older SOAP and RESTv1 API endpoints?

Avalara will continue to support TLS 1.0 and 1.1 in SOAP and REST v1 endpoints until 12/31/22. It is strongly recommended that partners still use these legacy APIs and refactor to Avalara’s REST v2 API as soon as possible. To assist with this transition, Avalara has published a Refactor Guide to provide details on moving existing supported software to Avalara’s RESTv2 API.

The general customer communication was sent out on 1/6/22, and the information is posted here.

If you have any questions or concerns regarding this update, please submit a Partner Support Case using the following process:

  • If you have access to an AvaTax account, please follow these instructions. Enter “Partner support” and a description of the Subject.
  • Don’t have access to an AvaTax account? Submit a case here. Include ‘Partner support’ in the ‘What issue are you experiencing?’ field. (Important: Leave the field “Which product are you using” as “None.”)

Avalara has identified the most at-risk partner integrations running on legacy SOAP APIs and SDKs and will be reaching out to impacted partners with specific recommendations to get these integrations TLS 1.2-compliant.

In support of the technical specialists receiving this correspondence please see the table below, which provides SDK-specific details.

SDK Language / Framework Minimum Client Version for TLS 1.2 Support Notes Current SDK TLS 1.2 Status
C# .NET Preferred .NET framework >= 4.7 (TLS 1.2 is default)

Supported in 4.6.2, 4.6.1, and 4.5 with service updates, but 1.1 is the default.

Preferred .NET standard version > 2.0.(TLS 1.2 is the default) Supported in .NET standard version 1.6 and 2.0 (TLS 1.1 is the default)

Preferred .NET framework >= 4.7 / .Net Core >= 2.1 (with default TLS1.2)

For other .NET versions, registry changes (/ Windows update) are required to support TLS 1.2:

(https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls)

SUPPORTED
Java / Scala / JRE Java 8 is recommended.

Java 7 must explicitly enable TLS 1.2.

Java 6 supports TLS 1.2 in versions 6u115 b32 and above.

Scala 2.13.4 is recommended. 2.12.12 is acceptable. These versions are only compatible with Java 8+.

Java 8 is recommended (with default TLS1.2)

Recommended Instructions to enable TLS1.2 in Java 7 and Java 6

SUPPORTED
JavaScript Node12 recommended. It supports OpenSSL 1.1.1, which supports TLS 1.2. Node12 also supports TLS 1.3 and will be maintained until 2022. Node12 and above recommended (EOL 04/2022) SUPPORTED
Python Behavior for Python 2.7 and 3. x is platform-dependent since calls are made to the operating system socket APIs. Both Python versions default to the highest available TLS versions. The installed version of OpenSSL may also cause variations in behavior. For example, TLSv1.1 and TLSv1.2 come with OpenSSL version 1.0.1. Recommended v3.6+, minimum 2.7.

The python community has rejected <TLS 1.2 for several years. Developers must update to TLS 1.2+ compatible versions to download/update python packages from PyPI. It’s possible to enforce TLS1.2+ connects by modifying the request package.

Recommended v3.6+

Recommended OpenSSL version 1.0.1 or higher

SUPPORTED
PHP Depends on curl & OpenSSL (v1.0.1) version of the system. OpenSSL v1.0.1 and above support TLS 1.2. Recommended PHP 5.6+. It uses CURL for making API calls and supports CURL version 7.34.0, which has default support for TLS 1.2. PHP 5.5.19 appears to be the min version. PHP 5.7 defaults to TLS 1.3. Recommended PHP 5.6+

Recommended OpenSSL version 1.0.1 or higher

Recommended cURL version 7.34.0 or higher

SUPPORTED
Ruby Depends on curl & OpenSSL (v1.0.1) version of the system. OpenSSL v1.0.1 and above support TLS 1.2. Ruby 2+, ensure the version of OpenSSL is 1.0.2 or greater, which supports TLS 1.2. The Ruby version is not strictly enforced currently. Recommended Ruby 2+

Recommended OpenSSL version 1.0.1 or higher

Recommended cURL version 7.34.0 or higher

SUPPORTED

As a certified Avalara integration partner, Encompass can help you manage the maintenance of your Avalara solution and unique business processes. For more information on our partner Avalara and Encompass support services, reach out using the contact us button below.

About Encompass Solutions

Encompass Solutions is a business and software consulting firm that specializes in ERP systems, EDI, and Managed Services support for Manufacturers. Serving small and medium-sized businesses since 2001, Encompass modernizes operations and automates processes for hundreds of customers across the globe. Whether undertaking full-scale implementation, integration, or renovation of existing systems, Encompass provides a specialized approach to every client’s needs. By identifying customer requirements and addressing them with the right solutions, we ensure our clients are equipped to match the pace of the Industry.

Sean Balogh

About Sean Balogh

A marketing professional working hard to deliver relevant and engaging content to audiences in education, technology, and manufacturing.