What is this change?
At Zuora, our customers trust is our #1 value, and we take the protection of our customers' data very seriously. To maintain the highest security standards and promote the protection of your data, we occasionally need to make security improvements and deprecate older encryption protocols and cipher suits. To maintain alignment with industry standard best practices, Zuora will disable select cipher suites for all inbound connections to Zuora using our APIs and Zuora UI
What are we doing?Removing support for older cipher suites from Zuora API and UI endpoints
What will this change affect?
This change will affect all incoming web browser based traffic as well as API traffic to both API Sandbox and Production.
What cipher suites are being removed?
What ciphers suites will be supported following the change?
ECDHEECDHE-ECDSA-AES128-GCM-SHA256ECDHE-RSA-AES128-GCM-SHA256ECDHE-ECDSA-AES256-GCM-SHA384ECDHE-RSA-AES256-GCM-SHA384When will this change take place?
We will take a phased approach to allow customers ample time to test and ensure your preparation.
Phase 1 - Zuora Billing API Sandbox and all NON production Zuora Billing environments
On Saturday November 5, 2022 from 4 PM PDT - 6 PM PDT, we will remove the ciphers listed
Phase 2 - Zuora Billing - All Production environments
On Saturday February 18 2023 from 4 PM PST - 6 PM PST, we will remove the ciphers listed as aligned with our 2023 Q1 maintenance window
Cancelled - please review reply in thread below
Will there be downtime associated with this change? For customers whose integrations and systems already use the supported ciphers, there will be no downtime associated with this change.What do I need to do?
Please work with your local IT, Security, Development team, or whomever supports and maintains your API integration to Zuora to validate your APIs can successfully negotiate API and UI connection using only the supported cipher suites. Most modern API platforms and browsers already support these latest ciphers, however each customer needs to validate and verify accordingly. What happens if I take no action?
Failure to make any necessary changes before the above dates may result in a potential disruption of Zuora services for your integrations.Customers are advised to perform the necessary validations and changes to ensure support for the ciphers listed. If you have made the necessary changes, or confirm your integration supports the listed ciphers, then no further action is required on your part.
How can I test my integration's readiness for this change?
Apart from verifying cipher support with your local technology teams, you may test directly using API Sandbox and Central Sandbox endpoints after the change is deployed on November 5, 2022
Zuora Global Support is readily available to answer any additional questions you may have.
Please contact Zuora Billing Support at firstname.lastname@example.org, or by our Customer Support Portal
Adding additional reference since the ciphers listed above were mixed between OpenSSL name and RFC name
Based on feedback from our customers, we elected to roll back our cipher changes in API Sandbox and will be canceling any further changes related to this thread until further notice. The current supported SSL ciphers in API Sandbox and Central Sandbox environments are as follows:API Sandbox, NA1 (rest.sandbox.na.zuora.com) and EU (rest.sandbox.eu.zuora.com)EU and US Central Sandbox (rest.test.eu.zuora.com and rest.test.zuora.com)
Equivalent RFC name
API Sandbox, NA2 (rest.apisandbox.zuora.com, apisandbox.zuora.com)
Customers who have already upgraded their cipher suites do not need to make any changes. We will revisit our cipher selections in Early 2023 and will announce changes (if any) with appropriate advanced notice
Thanks for signing up!
You'll receive a weekly digest of must-read articles and key resources.