Updating to use TLS 1.2 on connection to Clever API

Better Data Transport Security

Starting August 16th 2021, the Clever API requires calling code and programs to use TLS 1.2 (Transport Layer Security). Code and packages using TLS 1.0 or 1.1 can no longer make requests to api.clever.com.

By moving away from outdated and insecure TLS 1.0 and 1.1 protocols, which have known weaknesses, Clever wants to make sure that our users’ data is transported with better security via our API endpoints. This migration elevates the security posture of Clever and our application partners, and ultimately helps ensure private data of millions of teachers and students who rely on Clever are well protected.

Below are tips and tools to use when migrating to TLS 1.2 with major tech stacks.

Java

If your application runs on Java 1.7 or Java 1.6 (update 111 or later), you can set the https.protocols system property when starting the JVM to enable additional protocols for connections made using the HttpsURLConnection class – for example, by setting

Dhttps.protocols=TLSv1.2

If your application runs on Java 1.6 prior to update 111, or earlier, TLS 1.1 and 1.2 are not supported. Therefore, you need to update the version of Java your application runs on.

If you use another library for connections such as Apache HttpClient, see the Apache-HttpClient section below.

Apache-HttpClient

Please leverage SSLConnectionSocketFactory to set the TLS version on your connections. See this helpful guide for details.

SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
  SSLContexts.createDefault(),
  new String[] { "TLSv1.2" },
  null,
  SSLConnectionSocketFactory.getDefaultHostnameVerifier());
CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslsf).build();

Jakarta Commons-HttpClient

This package has reached its end of life. Please upgrade to use Apache-HTTPClient and follow the guide above to make sure you use TLS 1.2

.NET

Built-In Client

If you are using a builtin .NET client to make requests to Clever’s API, please see this detailed guide on how to upgrade to TLS 1.2 across various versions of .NET framework.

RestSharp

If you are using RestSharp to communicate with Clever, you will need to add the following line above the first request you make to Clever. See the issue here for relevant discussion.

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

Python

urllib3

If you are using the Urllib3 package with python 3.6, please use pyOpenSSL package to make sure you can upgrade to TLS 1.2.

python3 -m pip3 install pyOpenSSL

In certain cases, you might have to opt into using pyOpenSSL by the following:

import urllib3.contrib.pyopenssl
urllib3.contrib.pyopenssl.inject_into_urllib3()

libcurl

If you are using Ubuntu, you will need to take package updates. You can do this by running the following:

sudo apt-get update && sudo apt-get install --only-upgrade openssl

You may also need to update your libssl. You can update this by running:

sudo apt-get update && sudo apt-get install --only-upgrade libssl-dev

If you are using RedHat Enterprise Linux, or CentOS:

sudo yum update openssl libcurl

Go

If you are using a newer version of go ( Go 1.13 or above), Go already supports TLS 1.2 by default, so you will not need to make any changes.

When using older version of Go, make sure to set your TLS Client Configuration’s MinVersion to explicitly use TLS 1.2.

TLSClientConfig: &tls.Config{
        MinVersion: tls.VersionTLS12,
    }

If you are using the fasthttp library, please follow the instructions in this issue to properly create a TLS configuration.