Breaking changes planned - Disabling weak cipher suites

At Blackbaud, as the cloud software partner to many leading social good organizations, security is our priority and as such, we have world-class teams for security, privacy, and risk management that work around the clock every day to ensure that our data is safe and accessible to our customers. In support of this mission, we started requiring TLS 1.2 for all connections to SKY API on April 12, 2021. The next security change towards this effort is to update and formally document the cipher suites that SKY API supports, while deprecating support for any potentially weak ones.

What are Cipher Suites?

SKY API uses the TLS 1.2 protocol to ensure that communication between SKY Applications and our APIs remains secure. Among other things, this protocol defines which cipher suites can be used when application clients attempt to communicate with SKY API. The cipher suite itself defines the set of algorithms that are used to encrypt and decrypt requests to SKY API and responses back to your application. To read more about the relationship between TLS and cipher suites, review how CloudFlare describes TLS.

While TLS 1.2 defines the cipher suites it supports, over time weaknesses have been discovered in some of these suites. For example, they have found outright vulnerabilities and insufficient computational complexity compared to newer standards.

As such, we’re going to remove the weaker ciphers and formally document the ciphers we do support. No additional cipher support will be added as part of this change. However, there is a reasonable chance your application already supports and is using one of these cipher suites to communicate with SKY API.

What Cipher Suites will SKY API support?

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_256_GCM_SHA384

When is the change happening?

This change will happen in two phases.

Phase 1: Rehearsals

We are providing two opportunities for SKY Application developers to validate that their applications support at least one of the supported cipher suites. During these rehearsals, any applications that cannot negotiate with one of the supported ciphers will be unable to connect to SKY API.

• Rehearsal 1: Friday, October 1st, 2021 at 22:00 GMT (18:00 EDT) – 23:00 GMT (19:00 EDT)
• Rehearsal 2: Wednesday, October 6th, 2021 at 10:00 GMT (6:00 EDT) – 11:00 GMT (7:00 EDT)

During rehearsals, if you uncover an issue with your configuration and cannot resolve it using one of the documented cipher suites above, contact the Blackbaud SKY Developer team.

Phase 2: Permanent change

The final change will take place on Monday, October 18, 2021 at 10:00 GMT (6:00 EDT).

What do I need to do?

You need to ensure that your application is configured to support one or more of the supported cipher suites.