Supported SSL ciphers

To keep up with security trends and threats, growing privacy concerns, and emerging technologies, we continually assess and update our SSL infrastructure. These changes often involve removing the ability to connect using outdated SSL ciphers.

What ciphers do we support?

Now that we have completed our hosting service improvements, only the following SSL ciphers are permitted:

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

To ensure no interruptions or disruptions in service, customers should support - at a minimum - an ECDSA and RSA pair. However, best practice would be to support all of the listed ciphers.

How do you make sure you're in compliance?

There are two primary areas of concern:

  • Java: If you are using a current, up-to-date version of Java to run the EPIC data sync tool and/or your Integration Agent applications, there should be no further action required. If you are running an older version, you may need to upgrade to the latest compatible JRE; instructions are available here.
  • REST requests: If you are using cURL (or PHP or another scripting language) to submit REST requests, make sure you update your cURL (or NSS libraries) to the latest version.

Of course, the best way to prepare for any kind of TLS or SSL change is to simply ensure that your applications and security protocols are kept up-to-date. 

Was this article helpful?
0 out of 0 found this helpful

Comments

1 comment

Please sign in to leave a comment.

  • It's come to our attention that not all of our customers implemented certificate processing in the way that we anticipated. To help (hopefully!) reduce confusion, we've clarified our wording and requirements around SSL ciphers in this article.

    0