Breaking Change Planned - Disabling Weak Cipher Suites

At Blackbaud, as the cloud software partner to many leading social good organizations, security is our priority and as such, we have world-class teams for security, privacy, and risk management that work around the clock every day to ensure that our data is safe and accessible to our customers. In support of this mission, we require TLS 1.2 for all connections to SKY API beginning on April 12, 2021. The next security change towards this effort is to update and formally document the cipher suites that SKY API supports, while deprecating support for any potentially weak ones.

WHAT ARE CIPHER SUITES?

SKY API uses the TLS 1.2 protocol to ensure that communication between SKY applications and our APIs remain secure. Among other things, this protocol defines which cipher suites can be used when application clients attempt to communicate with SKY API. The cipher suite itself defines the set of algorithms that are used to encrypt and decrypt requests to SKY API and responses back to your application. To read more about the relationship between TLS and cipher suites, review how CloudFlare describes TLS.

While TLS 1.2 defines the cipher suites it supports, over time weaknesses have been discovered in some of these suites. For example, they have found outright vulnerabilities and insufficient computational complexity compared to newer standards.

As such, we’re going to remove the weaker ciphers and formally document the ciphers we do support. No additional cipher support will be added as part of this change. However, there is a reasonable chance your application already supports and is using one of these cipher suites to communicate with SKY API.

WHAT CIPHER SUITES DOES SKY API SUPPORT?

• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

WHEN IS THE CHANGE HAPPENING?

This change is happening in two phases.

Phase 1: Rehearsals

We are providing two opportunities for SKY application developers to validate that your applications support at least one of the supported cipher suites. During these rehearsals, any applications that cannot negotiate with one of the supported ciphers will be unable to connect to SKY API. Follow along in the community announcements for up-to-date status of rehearsals.

• Rehearsal 1: Thursday, February 1st, 2024 at 22:00 GMT (17:00 EST) – 1:00 GMT (20:00 EST)
• Rehearsal 2: Wednesday, February 14th, 2024 at 10:00 GMT (5:00 EST) – 12:00 GMT (7:00 EST)

During rehearsals, if you uncover an issue with your configuration and cannot resolve it using one of the documented cipher suites above, contact the Blackbaud SKY Developer team.

Phase 2: Permanent change

The final change will take place on Wednesday, February 28, 2024 at 22:00 GMT (17:00 EST).

WHAT DO I NEED TO DO?

You need to ensure that your application is configured to support one or more of the supported cipher suites.