Reminder! Breaking Change Planned for Disabling Weak Cipher Suites

Lindsey Rix
Lindsey Rix Blackbaud Employee
Tenth Anniversary Kudos 3 Name Dropper Participant
in SKY Developer Announcements
As a reminder, we are making the permanent change to supported cipher suites on Wednesday, February 28, 2024 at 22:00 GMT (17:00 EST).

At Blackbaud, as the cloud software partner to many leading social good organizations, security is our priority and as such, we have world-class teams for security, privacy, and risk management that work around the clock every day to ensure that our data is safe and accessible to our customers. In support of this mission, we require TLS 1.2 for all connections to SKY API beginning on April 12, 2021. The next security change towards this effort is to update and formally document the cipher suites that SKY API supports, while deprecating support for any potentially weak ones.

WHAT ARE CIPHER SUITES?

SKY API uses the TLS 1.2 protocol to ensure that communication between SKY applications and our APIs remain secure. Among other things, this protocol defines which cipher suites can be used when application clients attempt to communicate with SKY API. The cipher suite itself defines the set of algorithms that are used to encrypt and decrypt requests to SKY API and responses back to your application. To read more about the relationship between TLS and cipher suites, review how CloudFlare describes TLS.

While TLS 1.2 defines the cipher suites it supports, over time weaknesses have been discovered in some of these suites. For example, they have found outright vulnerabilities and insufficient computational complexity compared to newer standards.

As such, we’re going to remove the weaker ciphers and formally document the ciphers we do support. No additional cipher support will be added as part of this change. However, there is a reasonable chance your application already supports and is using one of these cipher suites to communicate with SKY API.

WHAT CIPHER SUITES DOES SKY API SUPPORT?
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
WHEN IS THE CHANGE HAPPENING?

This change is happening in two phases.

Phase 1: Rehearsals

This phase is complete.

Phase 2: Permanent change

The final change will take place on Wednesday, February 28, 2024 at 22:00 GMT (17:00 EST).

WHAT DO I NEED TO DO?

You need to ensure that your application is configured to support one or more of the supported cipher suites.

Comments

  • Alex Wong
    Alex Wong Community All-Star
    Ninth Anniversary Kudos 5 Facilitator 3 bbcon 2025 Attendee Badge

    My IT hat tells me that this does not affect SKY API calls made from Power Automate, but can someone from Blackbaud confirms that?

  • Chris Rodgers
    Chris Rodgers Blackbaud Employee
    Ninth Anniversary Kudos 2 Name Dropper Participant

    That is correct. The requests from Power Automate are compatible with this change. You're all set!

  • Jonathan Krainak
    Jonathan Krainak
    Eighth Anniversary Facilitator 1 Loyalty Badge

    How about Power BI reports that sync with Sky API via our On Prem Gateway? Our reports are failing after we thought our weaker ciphers were removed.

  • Chris Rodgers
    Chris Rodgers Blackbaud Employee
    Ninth Anniversary Kudos 2 Name Dropper Participant

    Hey Jonathan,

    Sorry your reports started failing after the update. I know we spoke before about your On-Premises solution before the change. From our analytics, your application was still making requests using a weaker cipher prior to the update. However, from our analytics, it appears that your application has started working again within the last hour. Let me know if that is not the case.

    For everyone else using Microsoft On-Premises Gateway: Microsoft publishes their TLS and Cipher Suite requirements for Microsoft On-Premises Gateway at https://learn.microsoft.com/en-us/power-platform/admin/server-cipher-tls-requirements. The required On-Premises Gateway cipher suite list includes all four of the SKY API-compatible ciphers suites. If your server is able to communicate using any one of these, it'll be compatible with both SKY API and Microsoft On-Premises Gateway.

  • Nick Johannsen
    Nick Johannsen
    Ninth Anniversary Name Dropper Participant Facilitator 1

    Windows Server 2012 R2 Intermittently Failed to create SSL connection

    Just in case any one else runs into this I was unable to get the required cypher suite to work consistently on windows server 2012 R2 running IIS. We finally just stood up a new 2022 server and then update the cipher suite order and that solved our issue.

    At least 2 of the required cypher suite were installed on 2012 R2 but when making API calls it would succeed maybe 10% of the time and fail the rest. My only guess (And I am no expert) is 2012 required the elliptic curve ID to be added to the suite. (TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521) Maybe mismatch the elliptic curve being used?.

    Hope this helps someone out there.

Categories