Description
This article explains changes made to the API encryption standards used by the CloudControl API endpoints in 2019.
Background
The CloudControl API endpoints use HTTPS protocol to encrypt communications with the API endpoint. These encrypted sessions use a "cipher suite" - a combination of cryptographic algorithms that is negotiated between the CloudControl endpoint and the client connecting to it. During the negotiation process, the two endpoints agree on a cipher suite that is supported by both the client and endpoint. If there is no such suite in common, no SSL connection can be established and the client will not be able to communicate with the API endpoint.
Overview
NTT-CIS is in the process of migrating our CloudControl application infrastructure from our MCP 1.0 to our MCP 2.0 data center network configuration. As part of this process, we are making changes to the encryption ciphers supported by the CloudControl API endpoint. All modern web browsers support the ciphers we're moving to and few support the ciphers we are eliminating. However, clients utilizing the API may be relying on legacy SSL clients that do not support these ciphers and will need to make some updates to be compatible with our new API encryption standards. Specifically, clients need to ensure their integration supports at least one of the ciphers supported on the CloudControl API endpoint. Failure to handle a supported cipher will result in an inability to communicate with the API endpoint after the change.
The changes will be applied in two phases
- Migration to MCP 2.0 Infrastructure (Phase 1) - This phase will introduce more modern, secure cipher support, including support for TLS 1.2. In addition, a few very old, insecure ciphers will no longer be supported.
- NOTE: This phase is complete in all Geographic Regions as of
- Elimination of Support for Insecure Ciphers (Phase 2)- This phase will eliminate additional insecure ciphers, including all support for TLS 1.0 and 1.1.
- NOTE: This phase is complete in all Geographic Regions. It was done in two separate events
- API URL's using the dimensiondata.com and mcp-services.net domains were updated on 06-Dec-2019
- All other API URL's were updated on 17-Dec-2019
- NOTE: This phase is complete in all Geographic Regions. It was done in two separate events
API Encryption Changes Occurring With Migration to MCP 2.0 Infrastructure (Phase 1)
Effective the day of the migration, the following old, insecure “export” versions of encryption algorithms were no longer supported. It is unlikely these ciphers are required for any current API integrations as we saw little to no usage of these ciphers against the API endpoint prior to the change.
Encryption Protocols No Longer Supported Effective MCP 2.0 Migration
Suite | Bits | Protocol | Cipher | MAC | Key Exchange |
EXP1024-DES-CBC-SHA | 56 | SSL3 | DES | SHA | RSA |
EXP1024-DES-CBC-SHA | 56 | TLS 1.0 | DES | SHA | RSA |
EXP1024-DES-CBC-SHA | 56 | DTLS1 | DES | SHA | RSA |
EXP1024-DES-CBC-SHA | 56 | TLS 1.1 | DES | SHA | RSA |
EXP1024-DES-CBC-SHA | 56 | TLS 1.2 | DES | SHA | RSA |
EXP1024-RC4-MD5 | 56 | SSL3 | RC4 | MD5 | RSA |
EXP1024-RC4-MD5 | 56 | TLS 1.0 | RC4 | MD5 | RSA |
EXP1024-RC4-MD5 | 56 | TLS 1.1 | RC4 | MD5 | RSA |
EXP1024-RC4-MD5 | 56 | TLS 1.2 | RC4 | MD5 | RSA |
EXP1024-RC4-SHA | 56 | SSL3 | RC4 | SHA | RSA |
EXP1024-RC4-SHA | 56 | TLS 1.0 | RC4 | SHA | RSA |
EXP1024-RC4-SHA | 56 | TLS 1.1 | RC4 | SHA | RSA |
EXP1024-RC4-SHA | 56 | TLS 1.2 | RC4 | SHA | RSA |
EXP-DES-CBC-SHA | 40 | SSL3 | DES | SHA | RSA |
EXP-DES-CBC-SHA | 40 | TLS 1.0 | DES | SHA | RSA |
EXP-DES-CBC-SHA | 40 | TLS 1.2 | DES | SHA | RSA |
EXP-RC4-MD5 | 40 | SSL3 | RC4 | MD5 | RSA |
EXP-RC4-MD5 | 40 | TLS 1.0 | RC4 | MD5 | RSA |
EXP-RC4-MD5 | 40 | TLS 1.2 | RC4 | MD5 | RSA |
API Encryption Changes Occurring With Elimination of Support for Insecure Ciphers (Phase 2)
Effective phase 2 on the dates above, we ceased supporting the following set of protocols that are considered insecure by current security standards. Prior to the change, we did see some usage of these ciphers on the current endpoint so we STRONGLY RECOMMEND that all users review any API integrations and ensure these ciphers are not required so that the change does not adversely affect their usage of the API.
Encryption Protocols No Longer Supported Effective Elimination of Support for Insecure Ciphers
Suite | Bits | Protocol | CIPHER | MAC | Key Exchange |
RC4-SHA | 128 | SSL3 | RC4 | SHA | RSA |
RC4-SHA | 128 | TLS 1.0 | RC4 | SHA | RSA |
RC4-SHA | 128 | TLS 1.1 | RC4 | SHA | RSA |
RC4-SHA | 128 | TLS 1.2 | RC4 | SHA | RSA |
RC4-SHA | 128 | SSL3 | RC4 | MD5 | RSA |
RC4-SHA | 128 | TLS 1.0 | RC4 | MD5 | RSA |
RC4-SHA | 128 | TLS 1.1 | RC4 | MD5 | RSA |
RC4-SHA | 128 | TLS 1.2 | RC4 | MD5 | RSA |
DES-CBC-SHA | 64 | SSL3 | DES | SHA | RSA |
DES-CBC-SHA | 64 | TLS 1.0 | DES | SHA | RSA |
EDE-CBC-SHA | 64 | SSL3 | 3DES | SHA | RSA |
EDE-CBC-SHA | 64 | TLS 1.0 | 3DES | SHA | RSA |
EDE-CBC-SHA | 64 | TLS 1.1 | 3DES | SHA | RSA |
EDE-CBC-SHA | 64 | TLS 1.2 | 3DES | SHA | RSA |
AES128-SHA | 128 | SSL3 | AES | SHA | RSA |
AES256-SHA | 256 | SSL3 | AES | SHA | RSA |
AES128-SHA | 128 | TLS 1.0 | AES | SHA | RSA |
AES128-SHA | 128 | TLS 1.1 | AES | SHA | RSA |
Current List of Supported API Encryption Ciphers And Protocols
The complete list of supported encryption methods now that both phases have been implemented is as follows:
Suite | Bits | Protocol | CIPHER | MAC | Key Exchange |
ECDHE-RSA-AES256-GCM-SHA384 | 256 | TLS1.2 | AES-GCM | SHA384 | ECDHE_RSA |
ECDHE-ECDSA-AES256-GCM-SHA384 | 256 | TLS1.2 | AES-GCM | SHA384 | ECDHE_ECDSA |
ECDHE-RSA-AES256-SHA384 | 256 | TLS1.2 | AES | SHA384 | ECDHE_RSA |
ECDHE-ECDSA-AES256-SHA384 | 256 | TLS1.2 | AES | SHA384 | ECDHE_ECDSA |
ECDHE-RSA-AES256-CBC-SHA | 256 | TLS1.2 | AES | SHA | ECDHE_RSA |
ECDHE-ECDSA-AES256-SHA | 256 | TLS1.2 | AES | SHA | ECDHE_ECDSA |
DHE-DSS-AES256-GCM-SHA384 | 256 | TLS1.2 | AES-GCM | SHA384 | DHE/DSS |
DHE-DSS-AES256-SHA256 | 256 | TLS1.2 | AES | SHA256 | DHE/DSS |
DHE-DSS-AES256-SHA | 256 | TLS1.2 | AES | SHA | DHE/DSS |
DHE-DSS-AES256-SHA | 256 | DTLS1 | AES | SHA | DHE/DSS |
ECDH-RSA-AES256-GCM-SHA384 | 256 | TLS1.2 | AES-GCM | SHA384 | ECDH_RSA |
ECDH-ECDSA-AES256-GCM-SHA384 | 256 | TLS1.2 | AES-GCM | SHA384 | ECDH_ECDSA |
ECDH-RSA-AES256-SHA384 | 256 | TLS1.2 | AES | SHA384 | ECDH_RSA |
ECDH-ECDSA-AES256-SHA384 | 256 | TLS1.2 | AES | SHA384 | ECDH_ECDSA |
ECDH-RSA-AES256-SHA | 256 | TLS1.2 | AES | SHA | ECDH_RSA |
ECDH-ECDSA-AES256-SHA | 256 | TLS1.2 | AES | SHA | ECDH_ECDSA |
AES256-GCM-SHA384 | 256 | TLS1.2 | AES-GCM | SHA384 | RSA |
AES256-SHA256 | 256 | TLS1.2 | AES | SHA256 | RSA |
AES256-SHA | 256 | TLS1.2 | AES | SHA | RSA |
AES256-SHA | 256 | DTLS1 | AES | SHA | RSA |
ECDHE-RSA-DES-CBC3-SHA | 168 | TLS1.2 | DES | SHA | ECDHE_RSA |
ECDHE-ECDSA-DES-CBC3-SHA | 168 | TLS1.2 | DES | SHA | ECDHE_ECDSA |
ECDH-RSA-DES-CBC3-SHA | 168 | TLS1.2 | DES | SHA | ECDH_RSA |
ECDH-ECDSA-DES-CBC3-SHA | 168 | TLS1.2 | DES | SHA | ECDH_ECDSA |
DES-CBC3-SHA | 168 | TLS1.2 | DES | SHA | RSA |
DES-CBC3-SHA | 168 | DTLS1 | DES | SHA | RSA |
ECDHE-RSA-AES128-GCM-SHA256 | 128 | TLS1.2 | AES-GCM | SHA256 | ECDHE_RSA |
ECDHE-ECDSA-AES128-GCM-SHA256 | 128 | TLS1.2 | AES-GCM | SHA256 | ECDHE_ECDSA |
ECDHE-RSA-AES128-SHA256 | 128 | TLS1.2 | AES | SHA256 | ECDHE_RSA |
ECDHE-ECDSA-AES128-SHA256 | 128 | TLS1.2 | AES | SHA256 | ECDHE_ECDSA |
ECDHE-RSA-AES128-CBC-SHA | 128 | TLS1.2 | AES | SHA | ECDHE_RSA |
ECDHE-ECDSA-AES128-SHA | 128 | TLS1.2 | AES | SHA | ECDHE_ECDSA |
DHE-DSS-AES128-GCM-SHA256 | 128 | TLS1.2 | AES | SHA256 | DHE/DSS |
DHE-DSS-AES128-SHA256 | 128 | TLS1.2 | AES | SHA256 | DHE/DSS |
DHE-DSS-AES128-SHA | 128 | TLS1.2 | AES | SHA | DHE/DSS |
DHE-DSS-AES128-SHA | 128 | DTLS1 | AES | SHA | DHE/DSS |
ECDH-RSA-AES128-GCM-SHA256 | 128 | TLS1.2 | AES-GCM | SHA256 | ECDH_RSA |
ECDH-ECDSA-AES128-GCM-SHA256 | 128 | TLS1.2 | AES-GCM | SHA256 | ECDH_ECDSA |
ECDH-RSA-AES128-SHA256 | 128 | TLS1.2 | AES | SHA256 | ECDH_RSA |
ECDH-ECDSA-AES128-SHA256 | 128 | TLS1.2 | AES | SHA256 | ECDH_ECDSA |
ECDH-RSA-AES128-SHA | 128 | TLS1.2 | AES | SHA | ECDH_RSA |
ECDH-ECDSA-AES128-SHA | 128 | TLS1.2 | AES | SHA | ECDH_ECDSA |
AES128-GCM-SHA256 | 128 | TLS1.2 | AES-GCM | SHA256 | RSA |
AES128-SHA256 | 128 | TLS1.2 | AES | SHA256 | RSA |
AES128-SHA | 128 | TLS1.2 | AES | SHA | RSA |
AES128-SHA | 128 | DTLS1 | AES | SHA | RSA |
DHE-DSS-CAMELLIA256-SHA | 256 | TLS1.2 | CAMELLIA | SHA | DHE/DSS |
CAMELLIA256-SHA | 256 | TLS1.2 | CAMELLIA | SHA | RSA |
DHE-DSS-CAMELLIA128-SHA | 128 | TLS1.2 | CAMELLIA | SHA | DHE/DSS |
CAMELLIA128-SHA | 128 | TLS1.2 | CAMELLIA | SHA | RSA |