Post

2 followers Follow
1
Avatar

HTTPS security protocols

Hello, you've changed something on your API (last Friday 18 January 2019).

I have a PHP based system (http://www.floodalleviation.uk) that grabs data from your API as JSON every 15 minutes and stores it in a mysql database. That data is then used to drive the graphs visible on http://www.floodalleviation.uk/dashboard.php

Your API pages used all to be HTTP (in fact all your own documentation says that they are HTTP). But now the HTTP redirects to an equivalent HTTPS page. All well and good if you are using a browser to view the page. Here's an example:
https://environment.data.gov.uk/flood-monitoring/id/measures/265038TP-rainfall-tipping_bucket_raingauge-t-15_min-mm/readings?startdate=2019-01-18&enddate=2019-01-20

However, the security certificate on your HTTPS server is configured only to handle TLS1.2 and TLS1.1 security protocols (as https://www.ssllabs.com/ssltest/analyze.html?d=environment.data.gov.uk reveals when you look at the protocols section).

That's not enough protocols, and is a sign that you've not setup your server for wide enough use. As I use PHP code, I can interact with HTTPS servers that use ssl, sslv3, sslv2, tls1.0 (but NOT TLS1.2 and TLS1.1).

Please could you enable TLS1.0 now that you are redirecting to the HTTPS servers. Note for comparison that the HTTPS servers that serve the Google Maps API use TLS1.0 (as https://www.ssllabs.com/ssltest/analyze.html?d=maps.googleapis.com&s=216.58.194.202&latest shows) as does https://www.tax.service.gov.uk

Piers Allison //

Official comment

Avatar

Hello Piers, 

Thank you for your post, we are aware of this issue and actively working on this to find a solution. 

Apologies for any inconvenience this may have caused. 

Ella Fotheringham

Environment Agency 

Ella Fotheringham //
Comment actions Permalink

Please sign in to leave a comment.

4 comments

0
Avatar

Hi Piers, 

We have now fixed this issue, please do let us know if you still have problems accessing this data. 

Many thanks

Ella Fotheringham 

Ella Fotheringham 0 votes //
Comment actions Permalink
0
Avatar

Hi Ella,

Thanks for letting me know. In the meantime, I've updated the PHP version at our end to cater for TLSv1.2.

In future if there's going to be a change to your API (if an intentional change), please put out an announcement.

Thanks,

Piers

Piers Allison 0 votes //
Comment actions Permalink
0
Avatar

Hi Piers, 

Thank you for your response.  I can confirm announcements will be posted to advise our customer of any scheduled downtime/changes that may impact our services.

If you would  like to receive an email notification of these announcements please "follow" the announcements section. 

https://support.environment.data.gov.uk/hc/en-gb/articles/360013165532-How-do-I-follow-a-post-or-article-

Many thanks 

Ella 

Ella Fotheringham 0 votes //
Comment actions Permalink