Inbound traffic refers to connections made from a client to our servers. We will stop supporting unencrypted connections to our APIs -- that is, requests that use " http :" rather than "https:".
Once we've made this change, customer and partner applications will fail on attempts to establish unencrypted connections. The error behavior will be application-specific.
The error will be specific to the application but could be reported as a network connection error.
To correct this, customers must change their applications to specify "https:" URLs. Their clients must also support TLSv1.2. (As of April 9, that is the only version of SSL/TLS that our servers accept.)
Outbound traffic refers to connections made from our servers back to customer-specified servers. There are two categories:
• Upload callbacks for document uploads (described here for our REST API, but also applies to the legacy SOAP API)
• Status callbacks to notify the customer of a change in agreement status (described here for our REST API, but also applies to the legacy SOAP API)
For both categories of callbacks, we will stop supporting:
a. Unencrypted connections (using " http :" rather than "https:" URLs)
b. Connections to servers that do not support TLSv1.2 (in other words, TLSv1.0 and TLSv1.1 will no longer be supported)
c. Connections to servers that have invalid certificates. This includes certificates that are self-signed or expired, as well as cases in which a URL uses an IP address rather than a hostname.
• Upload callback: The upload should return an API error.
• Status callbacks:
To correct this:
• In partner/customer Sign applications, the URLs specified for callbacks must use "https:" rather than " http :". The URLs must also use a hostname rather than an IP address.
• The servers referenced by these URLs must support TLSv1.2 and have valid certificates.
We are generating reports to identify customers whose existing inbound or outbound traffic is insecure. Those customers will be notified directly.
Customers who wish to test that their server is compliant can use a variety of free or commercial tools, including the Qualys SSLLabs Server Test, to ensure that their server accepts TLSv1.2 and has a valid certificate.
For status callbacks, in addition to supporting TLS 1.2, the customer's server must support one of the cipher suites below: