Description:
To maintain the highest security standards and promote the protection of your data, Zuora will disable support for 3DES Ciphers on Zuora endpoints. Disabling weak TLS Ciphers is one of many steps towards ensuring Zuora endpoints are protected against potential high risk vulnerabilities.
When will these changes take effect?
These changes will be rolled into both Sandbox and Production environments on the following timeline
API Sandbox on 11 July 2017 approximately 8:00AM (Pacific time)
Production on 25 July 2017 approximately 8:00AM (Pacific time)
API Sandbox on 13 July 2017 approximately 8:00AM (Pacific time)
Production on 27 July 2017 approximately 8:00AM (Pacific time)
It may take several hours for the changes to propagate through Akamai's systems and converge, once the changes are applied.
Which Zuora URLs, environments or services does this affect?
The following domains will be changed:
On 13 July:
apisandbox.zuora.com, apisandbox-api.zuora.com, apisandboxstatic.zuora.com
pt1.zuora.com
pt1-api.zuora.com
pt1static.zuora.com
blog.zuora.com
de.zuora.com
fr.zuora.com
jp.zuora.com
apisandbox.zuora.com
apisandbox-api.zuora.com
apisandboxstatic.zuora.com
On 27 July:
api.zuora.com, blog.zuora.com, de.zuora.com, fr.zuora.com, jp.zuora.com, live-www.zuora.com, rest.zuora.com, static.zuora.com, www.zuora.com, gateway.prod.auw2.zuora.com
api.zuora.com
live-www.zuora.com
rest.zuora.com
static.zuora.com
www.zuora.com
gateway.prod.auw2.zuora.com
Do I need to take action?
No action is required on the customer side. Zuora is removing support for 3DES Ciphers from the selections within the TLS1.1 and TLS1.2 protocols. By removing a single cipher from each suite, the negotiations that occur when building a secure session has many other protocols to use. These negotiations are automatic, happen each time a new TLS session is created and invisible to the applications that are requesting the TLS session.
#Announcement