Description:
To maintain the highest security standards and promote the protection of your data, Zuora will disable support for Weak SSL Ciphers on Zuora endpoints. Disabling weak SSL Ciphers is one of many steps towards ensuring Zuora endpoints are protected against potential high risk vulnerabilities.
When will these changes take effect?
These changes will be rolled into both Sandbox and US Production environments on the following timeline :
API Sandbox: Between July 5, 2018 and July 10
US Production September 17, 2018 New date: Jan 9, 2019
It may take several hours for the changes to propagate through Akamai's systems and converge, once the changes are applied.
Which Zuora URLs, environments or services does this affect?
On July 5, 2018:
apisandbox.zuora.com, apisandbox-api.zuora.com, apisandboxstatic.zuora.com, rest.apisandbox.zuora.com
On September 17, 2018
api.zuora.com, blog.zuora.com, de.zuora.com, fr.zuora.com, jp.zuora.com, live-www.zuora.com, rest.zuora.com, static.zuora.com, www.zuora.com, gateway.prod.auw2.zuora.com
Which Ciphers are being removed?
TLSv1.2 128 bits AES128-GCM-SHA256
TLSv1.2 128 bits AES128-SHA256
TLSv1.2 128 bits AES128-SHA
TLSv1.2 256 bits AES256-GCM-SHA384
TLSv1.2 256 bits AES256-SHA256
TLSv1.2 256 bits AES256-SHA
TLSv1.1 128 bits AES128-SHA
TLSv1.1 256 bits AES256-SHA
Do I need to take action?
No action is required on the customer side. Zuora is removing support for SSL Ciphers from the selections within the TLS1.1 and TLS1.2 protocols. By removing ciphers from each TLS protocol suite, the negotiations that occur to build a secure session utilize the other ciphers automatically. These negotiations are automatic, and happen each time a new TLS session is created and are invisible to the applications that are requesting the TLS session.
#Announcement