Maintenance Notifications

Expand all | Collapse all

[Informational] Zuora to disable Weak SSL Ciphers on Zuora endpoints

  • 1.  [Informational] Zuora to disable Weak SSL Ciphers on Zuora endpoints

    Posted 06-11-2018 19:27

    Description:

     

    To maintain the highest security standards and promote the protection of your data, Zuora will disable support for Weak SSL Ciphers on Zuora endpoints. Disabling weak SSL Ciphers is one of many steps towards ensuring Zuora endpoints are protected against potential high risk vulnerabilities.

     

    When will these changes take effect?

     

    These changes will be rolled into both Sandbox and US Production environments on the following timeline :

    API Sandbox: Between July 5, 2018 and July 10

    US Production September 17, 2018  New date: Jan 9, 2019

     

    It may take several hours for the changes to propagate through Akamai's systems and converge, once the changes are applied.

     

    Which Zuora URLs, environments or services does this affect?

     

    On July 5, 2018:

    apisandbox.zuora.com, apisandbox-api.zuora.com, apisandboxstatic.zuora.com, rest.apisandbox.zuora.com

     

    On September 17, 2018

    api.zuora.com, blog.zuora.com, de.zuora.com, fr.zuora.com, jp.zuora.com, live-www.zuora.com, rest.zuora.com, static.zuora.com, www.zuora.com, gateway.prod.auw2.zuora.com


    Which Ciphers are being removed?

    TLSv1.2 128 bits AES128-GCM-SHA256

    TLSv1.2 128 bits AES128-SHA256

    TLSv1.2 128 bits AES128-SHA

    TLSv1.2 256 bits AES256-GCM-SHA384

    TLSv1.2 256 bits AES256-SHA256

    TLSv1.2 256 bits AES256-SHA

    TLSv1.1 128 bits AES128-SHA

    TLSv1.1 256 bits AES256-SHA


    Do I need to take action?

     

    No action is required on the customer side. Zuora is removing support for SSL Ciphers from the selections within the TLS1.1 and TLS1.2 protocols. By removing ciphers from each TLS protocol suite, the negotiations that occur to build a secure session utilize the other ciphers automatically. These negotiations are automatic, and happen each time a new TLS session is created and are invisible to the applications that are requesting the TLS session.


    #Announcement


  • 2.  [Informational] Zuora to disable Weak SSL Ciphers on Zuora endpoints

    Posted 06-11-2018 19:40

    Hi folks

     

    Dates have been modified to the following:

    API Sandbox on July 5, 2018 approximately 8:00 AM (Pacific time)

    US Production on TBD approximately 8:00 AM (Pacific time)

     

    We will announce US Production change with about 4 weeks notice (minimum) once the date is established and updated the dates will be posted on this thread.

    Thank you



  • 3.  [Informational] Zuora to disable Weak SSL Ciphers on Zuora endpoints

    Posted 07-03-2018 19:44

    Hi folks

    We have made some modifications to our timeline and impacted endpoints for API Sandbox.  Changes are marked in red text.

     

    Thank you!



  • 4.  [Informational] Zuora to disable Weak SSL Ciphers on Zuora endpoints

    Posted 08-16-2018 22:11

    Please note.  We have updated the production deployment date to September 17, 2018



  • 5.  [Informational] Zuora to disable Weak SSL Ciphers on Zuora endpoints

    Posted 08-16-2018 22:35

    Scott,

    I just saw an alert that this change is getting deployed on August 17, 2018.

    I am seeing a different date here. Can you please confirm?

    We are facing handshake issues on our integrations due to this change (Support Ticket # 158825).

    Thanks,

    Vimal



  • 6.  [Informational] Zuora to disable Weak SSL Ciphers on Zuora endpoints

    Posted 08-17-2018 12:21

    Hi @vkannan

     

    Appologies, the date was set in error and has been updated to reflect correctly as September 17, 2018.  Sorry for the confusion

     

    Scott



  • 7.  [Informational] Zuora to disable Weak SSL Ciphers on Zuora endpoints

    Posted 08-17-2018 18:01

    Scott,

    Do you have the list of CIPHERS that are currently supported by Zuora?

    Thanks,

    Vimal



  • 8.  [Informational] Zuora to disable Weak SSL Ciphers on Zuora endpoints

    Posted 08-21-2018 18:22

    For the latest ciphers please see the following report since API Sandobx presently has the latest supported ciphers:

    https://ssllabs.com/ssltest/analyze.html?d=apisandbox-api.zuora.com&latest

     

     



  • 9.  [Informational] Zuora to disable Weak SSL Ciphers on Zuora endpoints

    Posted 08-27-2018 03:14

    Hi Scott,

     

    I can see that TLS_RSA_WITH_AES_256_GCM_SHA384 with TLS 1.2 is still available in the list of ciphers on the URL you gave us, but it is also said on this page that "TLSv1.2 256 bits AES256-GCM-SHA384" is going to be removed.

    Whichever it is going to be, could you confirm, and if it is going to be removed, give us the date it is going to be removed in the sandbox for us to start testing please?

     

    Thank you.



  • 10.  [Informational] Zuora to disable Weak SSL Ciphers on Zuora endpoints

    Posted 08-29-2018 19:58

    Hi @scottb, is there any update on this?



  • 11.  [Informational] Zuora to disable Weak SSL Ciphers on Zuora endpoints

    Posted 09-05-2018 13:45

    @ttsparkventures

    Appologies for the delay.   After some prior discussion with our Engineering teams, we have decided to keep TLS_RSA_WITH_AES_256_GCM_SHA384 cipher. Confirming it will NOT be removed and I have edited the original post to strikethrough



  • 12.  [Informational] Zuora to disable Weak SSL Ciphers on Zuora endpoints

    Posted 09-17-2018 18:16

    Hi everyone

     

    The US Production cipher changes have been pushed back to Thursday September 20, 2018 - the original post above has been edited to reflect this change.  



  • 13.  [Informational] Zuora to disable Weak SSL Ciphers on Zuora endpoints

    Posted 12-07-2018 19:14

    Hi folks

     

    Apologies for the lack of updates on this thread.  The collective leadership here at Zuora made the call to delay this deployment due to scheduling issues and feedback from our cusotmers.  The the new date for production is Jan 9, 2019 which is reflected on the original post.  Sandbox deployment has already been completed.