Maintenance Notifications

 View Only
  Thread closed by the administrator, not accepting new replies.
  • 1.  Cipher removal: Q4 2022 (SBX/CSBX), Q1 2023 (PROD) - CANCELLED

    Posted 09-30-2022 08:54
    Edited by Scott Blashek 11-30-2022 09:23
    No replies, thread closed.

    What is this change?  

    At Zuora, our customers trust is our #1 value, and we take the protection of our customers' data very seriously. To maintain the highest security standards and promote the protection of your data, we occasionally need to make security improvements and deprecate older encryption protocols and cipher suits.  To maintain alignment with industry standard best practices, Zuora will disable select cipher suites for all inbound connections to Zuora using our APIs and Zuora UI


    What are we doing?
    Removing support for older cipher suites from Zuora API and UI endpoints
     

    What will this change affect? 

    This change will affect all incoming web browser based traffic as well as API traffic to both API Sandbox and Production. 

     
    What cipher suites are being removed?

    CBC
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    TLS_RSA_WITH_AES_128_CBC_SHA256
    TLS_RSA_WITH_AES_256_CBC_SHA256
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

    3DES
    TLS_RSA_WITH_3DES_EDE_CBC_SHA

    What ciphers suites will be supported following the change?

    ECDHE
    ECDHE-ECDSA-AES128-GCM-SHA256
    ECDHE-RSA-AES128-GCM-SHA256
    ECDHE-ECDSA-AES256-GCM-SHA384
    ECDHE-RSA-AES256-GCM-SHA384

    When will this change take place? 

    We will take a phased approach to allow customers ample time to test and ensure your preparation.

    Phase 1 - Zuora Billing API Sandbox and all NON production Zuora Billing environments

    On Saturday November 5, 2022 from 4 PM PDT - 6 PM PDT, we will remove the ciphers listed 


    Phase 2 - Zuora Billing - All Production environments

    On Saturday February 18 2023 from 4 PM PST - 6 PM PST, we will remove the ciphers listed as aligned with our 2023 Q1 maintenance window 

     Cancelled - please review reply in thread below

    Will there be downtime associated with this change?  
    For customers whose integrations and systems already use the supported ciphers, there will be no downtime associated with this change.

    What do I need to do? 

    Please work with your local IT, Security, Development team, or whomever supports and maintains your API integration to Zuora to validate your APIs can successfully negotiate API and UI connection using only the supported cipher suites.  Most modern API platforms and browsers already support these latest ciphers, however each customer needs to validate and verify accordingly.  

    What happens if I take no action? 

    Failure to make any necessary changes before the above dates may result in a potential disruption of Zuora services for your integrations.

    Customers are advised to perform the necessary validations and changes to ensure support for the ciphers listed.   If you have made the necessary changes, or confirm your integration supports the listed ciphers, then no further action is required on your part.

    How can I test my integration's readiness for this change? 

    Apart from verifying cipher support with your local technology teams, you may test directly using API Sandbox and Central Sandbox endpoints after the change is deployed on November 5, 2022


    Zuora Global Support is readily available to answer any additional questions you may have.   

    Please contact Zuora Billing Support at support@zuora.com, or by our Customer Support Portal  



  • 2.  RE: Cipher removal: Q4 2022 (SBX/CSBX), Q1 2023 (PROD) - CANCELLED

    Posted 10-26-2022 10:37
    Edited by Scott Blashek 11-30-2022 10:26
    No replies, thread closed.

    Adding additional reference since the ciphers listed above were mixed between OpenSSL name and RFC name

    Supported Ciphers
    OpenSSL/AWS name Equivalent RFC name
    ECDHE-ECDSA-AES128-GCM-SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    ECDHE-RSA-AES128-GCM-SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    ECDHE-ECDSA-AES256-GCM-SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    ECDHE-RSA-AES256-GCM-SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    Ciphers to be removed (deprecating)
    OpenSSL/AWS name Equivalent RFC name
    ECDHE-RSA-AES128-SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    ECDHE-RSA-AES256-SHA384 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    AES128-SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256
    AES256-SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256
    AES128-SHA TLS_RSA_WITH_AES_128_CBC_SHA
    AES256-SHA TLS_RSA_WITH_AES_256_CBC_SHA
    ECDHE-RSA-AES256-SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    ECDHE-RSA-AES128-SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    DES-CBC3-SHA TLS_RSA_WITH_3DES_EDE_CBC_SHA







  • 3.  RE: Cipher removal: Q4 2022 (SBX/CSBX), Q1 2023 (PROD) - CANCELLED

    Posted 11-30-2022 09:00
    Edited by Scott Blashek 11-30-2022 10:26
    No replies, thread closed.

    Based on feedback from our customers, we elected to roll back our cipher changes in API Sandbox and will be canceling any further changes related to this thread until further notice.  The current supported SSL ciphers in API Sandbox and Central Sandbox environments are as follows:

    API Sandbox, NA1 (rest.sandbox.na.zuora.com) and EU (rest.sandbox.eu.zuora.com)
    EU and US Central Sandbox (rest.test.eu.zuora.com and rest.test.zuora.com)

    OpenSSL/AWS name

    Equivalent RFC name

    ECDHE-RSA-AES128-GCM-SHA256

    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    ECDHE-RSA-AES128-SHA256

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    ECDHE-RSA-AES128-SHA

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

    ECDHE-RSA-AES256-GCM-SHA384

    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    ECDHE-RSA-AES256-SHA384

    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    ECDHE-RSA-AES256-SHA

    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

    AES128-GCM-SHA256

    TLS_RSA_WITH_AES_128_GCM_SHA256

    AES128-SHA256

    TLS_RSA_WITH_AES_128_CBC_SHA256

    AES128-SHA

    TLS_RSA_WITH_AES_128_CBC_SHA

    AES256-GCM-SHA384

    TLS_RSA_WITH_AES_256_GCM_SHA384

    AES256-SHA256

    TLS_RSA_WITH_AES_256_CBC_SHA256

    AES256-SHA

    TLS_RSA_WITH_AES_256_CBC_SHA



    API Sandbox, NA2 (rest.apisandbox.zuora.com, apisandbox.zuora.com)


    OpenSSL/AWS name

    Equivalent RFC name

    TLS_AES_128_GCM_SHA256

    TLS_AES_128_GCM_SHA256

    TLS_AES_256_GCM_SHA384

    TLS_AES_256_GCM_SHA384

    TLS_CHACHA20_POLY1305_SHA256

    TLS_CHACHA20_POLY1305_SHA256

    ECDHE-RSA-AES128-GCM-SHA256

    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    ECDHE-RSA-AES128-SHA256

    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

    ECDHE-RSA-AES256-GCM-SHA384

    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    ECDHE-RSA-CHACHA20-POLY1305

    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

    ECDHE-RSA-AES256-SHA384

    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    AES128-GCM-SHA256

    TLS_RSA_WITH_AES_128_GCM_SHA256

    AES256-GCM-SHA384

    TLS_RSA_WITH_AES_256_GCM_SHA384

    AES128-SHA256

    TLS_RSA_WITH_AES_128_CBC_SHA256



    Customers who have already upgraded their cipher suites do not need to make any changes.  We will revisit our cipher selections in Early 2023 and will announce changes (if any) with appropriate advanced notice