Breaking Change Planned - Disabling Weak Cipher Suites
At Blackbaud, as the cloud software partner to many leading social good organizations, security is our priority and as such, we have world-class teams for security, privacy, and risk management that work around the clock every day to ensure that our data is safe and accessible to our customers. In support of this mission, we require TLS 1.2 for all connections to SKY API beginning on April 12, 2021. The next security change towards this effort is to update and formally document the cipher suites that SKY API supports, while deprecating support for any potentially weak ones.
WHAT ARE CIPHER SUITES?
SKY API uses the TLS 1.2 protocol to ensure that communication between SKY applications and our APIs remain secure. Among other things, this protocol defines which cipher suites can be used when application clients attempt to communicate with SKY API. The cipher suite itself defines the set of algorithms that are used to encrypt and decrypt requests to SKY API and responses back to your application. To read more about the relationship between TLS and cipher suites, review how CloudFlare describes TLS.
While TLS 1.2 defines the cipher suites it supports, over time weaknesses have been discovered in some of these suites. For example, they have found outright vulnerabilities and insufficient computational complexity compared to newer standards.
As such, we’re going to remove the weaker ciphers and formally document the ciphers we do support. No additional cipher support will be added as part of this change. However, there is a reasonable chance your application already supports and is using one of these cipher suites to communicate with SKY API.
WHAT CIPHER SUITES DOES SKY API SUPPORT?
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
WHEN IS THE CHANGE HAPPENING?
This change is happening in two phases.
Phase 1: Rehearsals
We are providing two opportunities for SKY application developers to validate that your applications support at least one of the supported cipher suites. During these rehearsals, any applications that cannot negotiate with one of the supported ciphers will be unable to connect to SKY API. Follow along in the community announcements for up-to-date status of rehearsals.
- Rehearsal 1: Thursday, February 1st, 2024 at 22:00 GMT (17:00 EST) – 1:00 GMT (20:00 EST)
- Rehearsal 2: Wednesday, February 14th, 2024 at 10:00 GMT (5:00 EST) – 12:00 GMT (7:00 EST)
During rehearsals, if you uncover an issue with your configuration and cannot resolve it using one of the documented cipher suites above, contact the Blackbaud SKY Developer team.
Phase 2: Permanent change
The final change will take place on Wednesday, February 28, 2024 at 22:00 GMT (17:00 EST).
WHAT DO I NEED TO DO?
You need to ensure that your application is configured to support one or more of the supported cipher suites.
Leave a Comment
Final Change Complete - The SKY API Gateway cipher suites configuration change is complete.
Rehearsal 2 Finish - The previous cipher suite configuration has been restored to the SKY API Gateway and Rehearsal 2 is complete.
Rehearsal 2 Start - The cipher suite configuration change is in effect for the SKY API Gateway and Rehearsal 2 has begun.
Rehearsal 1 Finish - The previous cipher suite configuration has been restored to the SKY API Gateway and Rehearsal 1 is complete.
Rehearsal 1 Start - The cipher suite configuration change is in effect for the SKY API Gateway and Rehearsal 1 has begun.
When did you last remove cipher suite support? Was it in 2021? I recall that one client had trouble because of very tight configuration controls that didn't include any of the supported suites, and it took quite a bit of troubleshooting to resolve that.
Looking through our changelog, I see we last made a change in April 2022.
Lead paragraph (and email excerpt) says: April 12, 2021
Down below, action dates are in Feb 2024.
What should that first date actually be?
April 12, 2021 is when we first started requiring TLS 1.2 for all connections to SKY API. However, related to that, over time we've had to disable weak cipher suites. This announcement is an effort to disable more weak ones, and document which ones we do support. Starting Feb 2024, we will only allow traffic using one of the supported cipher suites documented above and we'd encourage you to test and make sure your application supports one of those. Does that help?