Go directly to content Go directly to footer
Logo Customs Administration of the Netherlands - Ministry of Finance, part of the Government of The Netherlands - To the homepage of Dutch Customs National Helpdesk (NHD)

Security changes for the HTG MSA interface - UPDATE

Publication date 06-03-2025, 10:21

Dutch Customs is continuously working on keeping the Trade & Transport Gateway (HTG) secure. This usually happens “behind the scenes”, invisible to HTG users. In the near future, changes will be made to the security of the MSA interface that may have an impact on users. At the time of publication, the following changes are planned.

1. Other cryptographic algorithms for TLS 1.2

When connecting with TLS 1.2 (Transport Layer Security version 1.2), HTG supports a number of different cryptographic algorithms. This list of supported algorithms will be adjusted in the near future. Algorithms that are no longer considered sufficiently secure by the Dutch National Cyber ​​Security Centre (NCSC) will be removed. A number of secure algorithms will also be added.

Disabling algorithms that the NCSC advises to no longer use, and enabling additional secure algorithms

This change will take place on April 8th 2025 in the BTO/pre-production environment and on May 20th 2025 in production.

To be disabled:

TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_RSA_WITH_AES_256_CCM

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_128_CCM

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256

After enabling some additional algorithms, the HTG MSA channel for TLS 1.2 will support the following algorithms:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

TLS_DHE_RSA_WITH_AES_256_CCM

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

TLS_DHE_RSA_WITH_AES_128_CCM

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

A sample survey conducted in early March 2025 did not identify any MSA accounts that could potentially be affected by the disabling of algorithms. This does not provide hunred percent certainty, because during the sample not all issued MSA accounts connected to HTG. As a result, there is no 100% certainty that no MSA account is still dependent on the use of an algorithm that will be disabled. Software testing remains necessary.

2. Disable TLS 1.2, use only TLS 1.3

In 2022, Transport Layer Security (TLS) version 1.3 was activated in addition to version 1.2, which has been in use since the start of HTG. The intention at the time was also to disable the use of version 1.2 in mid-2022. Based on signals from the market, Dutch Customs then decided not to disable TLS 1.2, because several important platforms did not yet support TLS 1.3.

In the meantime, 2.5 years have passed. Securing message traffic is more important than ever. Work is being done on the development of quantum computers. A sufficiently powerful quantum computer will be able to “crack” the current security. Dutch Customs is preparing for this. New, quantum-safe algorithms are needed to avert this threat. These new algorithms will (most likely) no longer be available in TLS 1.2, but only in TLS 1.3.

For this reason, Dutch Customs, in consultation with the other government organizations that use HTG, has decided to disable the use of TLS 1.2 in production on January 12th, 2026. Prior to this, TLS 1.2 will be disabled in the company test environment (BTO, pre-production) on October 1st, 2025. This gives software developers time to determine whether their software can handle TLS 1.3 well.

By the way, 60% of MSA accounts already use TLS 1.3 (reference date August 2024). For these parties, disabling TLS 1.2 will therefore have no effect.

Of the MSA accounts seen during the sample, 60% already use TLS 1.3 (reference date early March 2025). For these parties, disabling TLS 1.2 will therefore have no effect. The remaining 40% of the declarants must therefore still take action in order to still be able to connect via TLS 1.3 from January 12th 2026.

Advice

The advice to software developers is to exchange test messages regularly, for example monthly, in the BTO/preproduction environment. Any problems in the software due to the adjustment of the set of supported algorithms will then come to light in time.

Category

Share this page