Description

This article explains changes being made to the API encryption standards used by the CloudControl API endpoint for both API 2 and API 0.9.

Background

The CloudControl API endpoints use HTTPS protocol to encrypt communications with the API endpoint. These encrypted sessions use a "cipher suite" - a combination of cryptographic algorithms that is negotiated between the CloudControl endpoint and the client connecting to it. During the negotiation process, the two endpoints agree on a cipher suite that is supported by both the client and endpoint. If there is no such suite in common, no SSL connection can be established and the client will not be able to communicate with the API endpoint.

Overview

NTT-CIS is in the process of migrating our CloudControl application infrastructure from our MCP 1.0 to our MCP 2.0 data center network configuration. As part of this process, we are making changes to the encryption ciphers supported by the CloudControl API endpoint. All modern web browsers support the ciphers we're moving to and few support the ciphers we are eliminating. However, clients utilizing the API may be relying on legacy SSL clients that do not support these ciphers and will need to make some updates to be compatible with our new API encryption standards. Specifically, clients need to ensure their integration supports at least one of the ciphers supported on the CloudCOntrol API endpoint. Failure to handle a supported cipher will result in an inability to communicate with the API endpoint after the change.

Some of these changes will occur on the date of migration while others are planned for September 4, 2019.  This document outlines those encryption algorithm changes and currently planned schedule. 

Migration Schedule

The matrix below defines the currently planned schedule for the API migrating from MCP 1.0 to 2.0 infrastructure. In advance of any implementation, specific maintenance announcements will be issued to notify users of the actual implementation date.

.

Geographic RegionStatus
CanadaMigration Done - effective  
Asia-PacificMigration Done - effective  
Europe

Migration Done - effective 

Africa

Migration Done - effective 

North America

Migration Done - effective  

Australia

Migration Done - effective  

IndonesiaPARTIALLY DONE - On MCP 2.0 Infrastructure but still supporting TLS 1.0/1.1 variants
Israel

PARTIALLY DONE - On MCP 2.0 Infrastructure but still supporting TLS 1.0/1.1 variants

API Encryption Changes Occurring With Migration to MCP 2.0 Infrastructure

Encryption Protocols No Longer Supported Effective MCP 2.0 Migration

Effective the day of the migration, the following old, insecure “export” versions of encryption algorithms will no longer be supported. It is unlikely these ciphers are required for any current API integrations as we see little to no usage of these ciphers against the current API endpoint. However, we recommend you review your implementation to ensure this is the case. 

Suite

Bits

Protocol

Cipher

MAC

Key Exchange

EXP1024-DES-CBC-SHA

56

SSL3

DES

SHA

RSA

EXP1024-DES-CBC-SHA

56

TLS 1.0

DES

SHA

RSA

EXP1024-DES-CBC-SHA

56

DTLS1

DES

SHA

RSA

EXP1024-DES-CBC-SHA

56

TLS 1.1

DES

SHA

RSA

EXP1024-DES-CBC-SHA

56

TLS 1.2

DES

SHA

RSA

EXP1024-RC4-MD5

56

SSL3

RC4

MD5

RSA

EXP1024-RC4-MD5

56

TLS 1.0

RC4

MD5

RSA

EXP1024-RC4-MD5

56

TLS 1.1

RC4

MD5

RSA

EXP1024-RC4-MD5

56

TLS 1.2

RC4

MD5

RSA

EXP1024-RC4-SHA

56

SSL3

RC4

SHA

RSA

EXP1024-RC4-SHA

56

TLS 1.0

RC4

SHA

RSA

EXP1024-RC4-SHA

56

TLS 1.1

RC4

SHA

RSA

EXP1024-RC4-SHA

56

TLS 1.2

RC4

SHA

RSA

EXP-DES-CBC-SHA

40

SSL3

DES

SHA

RSA

EXP-DES-CBC-SHA

40

TLS 1.0

DES

SHA

RSA

EXP-DES-CBC-SHA

40

TLS 1.2

DES

SHA

RSA

EXP-RC4-MD5

40

SSL3

RC4

MD5

RSA

EXP-RC4-MD5

40

TLS 1.0

RC4

MD5

RSA

EXP-RC4-MD5

40

TLS 1.2

RC4

MD5

RSA 

Encryption Protocols No Longer Supported Effective September 4, 2019

In addition to the list above, we will cease supporting the following additional set of ciphers that are considered insecure by current standards effective September 4, 2019. We see some usage of these ciphers on the current endpoint so we want to provide our API users with time to review and update their integration to ensure they avoid use of these ciphers in advance of the change. We STRONGLY RECOMMEND that all users review any API integrations and ensure these ciphers are not required so that the September 2019 change does not adversely affect your usage of the API. 

Suite

Bits

Protocol

CIPHER

MAC

Key Exchange

RC4-SHA

128

SSL3

RC4

SHA

RSA

RC4-SHA

128

TLS 1.0

RC4

SHA

RSA

RC4-SHA

128

TLS 1.1

RC4

SHA

RSA

RC4-SHA

128

TLS 1.2

RC4

SHA

RSA

RC4-SHA

128

SSL3

RC4

MD5

RSA

RC4-SHA

128

TLS 1.0

RC4

MD5

RSA

RC4-SHA

128

TLS 1.1

RC4

MD5

RSA

RC4-SHA

128

TLS 1.2

RC4

MD5

RSA

DES-CBC-SHA

64

SSL3

DES

SHA

RSA

DES-CBC-SHA

64

TLS 1.0

DES

SHA

RSA

EDE-CBC-SHA

64

SSL3

3DES

SHA

RSA

EDE-CBC-SHA

64

TLS 1.0

3DES

SHA

RSA

EDE-CBC-SHA

64

TLS 1.1

3DES

SHA

RSA

EDE-CBC-SHA

64

TLS 1.2

3DES

SHA

RSA

AES128-SHA

128

SSL3

AES

SHA

RSA

AES256-SHA

256

SSL3

AES

SHA

RSA

AES128-SHA

128

TLS 1.0

AES

SHA

RSA

AES128-SHA

128

TLS 1.1 

AES

SHA

RSA

New Encryption Protocols Supported Effective MCP 2.0 Migration

Effective the day of the change, we will also be adding support for an additional set of more secure ciphers. Where possible, we recommend API users configure their integrations to prefer these more secure standards as part of preparing for the change.

Suite

Bits

Protocol

CIPHER

MAC

Key Exchange

ECDHE-RSA-AES256-GCM-SHA384      

256

TLS1.2

AES-GCM

SHA384

ECDHE_RSA

ECDHE-ECDSA-AES256-GCM-SHA384    

256

TLS1.2

AES-GCM

SHA384

ECDHE_ECDSA

ECDHE-RSA-AES256-SHA384          

256

TLS1.2

AES

SHA384

ECDHE_RSA

ECDHE-ECDSA-AES256-SHA384       

256

TLS1.2

AES

SHA384

ECDHE_ECDSA

ECDHE-RSA-AES256-CBC-SHA        

256

TLS1.2

AES

SHA

ECDHE_RSA

ECDHE-ECDSA-AES256-SHA           

256

TLS1.2

AES

SHA

ECDHE_ECDSA

DHE-DSS-AES256-GCM-SHA384        

256

TLS1.2

AES-GCM

SHA384

DHE/DSS

DHE-DSS-AES256-SHA256            

256

TLS1.2

AES

SHA256

DHE/DSS

DHE-DSS-AES256-SHA               

256

TLS1.2

AES

SHA

DHE/DSS

DHE-DSS-AES256-SHA               

256

DTLS1

AES

SHA

DHE/DSS

ECDH-RSA-AES256-GCM-SHA384       

256

TLS1.2

AES-GCM

SHA384

ECDH_RSA

ECDH-ECDSA-AES256-GCM-SHA384    

256

TLS1.2

AES-GCM

SHA384

ECDH_ECDSA

ECDH-RSA-AES256-SHA384           

256

TLS1.2

AES

SHA384

ECDH_RSA

ECDH-ECDSA-AES256-SHA384         

256

TLS1.2

AES

SHA384

ECDH_ECDSA

ECDH-RSA-AES256-SHA              

256

TLS1.2

AES

SHA

ECDH_RSA

ECDH-ECDSA-AES256-SHA            

256

TLS1.2

AES

SHA

ECDH_ECDSA

AES256-GCM-SHA384               

256

TLS1.2

AES-GCM

SHA384

RSA

AES256-SHA256                        

256

TLS1.2

AES

SHA256

RSA

AES256-SHA                              

256

DTLS1

AES

SHA

RSA

ECDHE-RSA-DES-CBC3-SHA           

168

TLS1.2

DES

SHA

ECDHE_RSA

ECDHE-ECDSA-DES-CBC3-SHA         

168

TLS1.2

DES

SHA

ECDHE_ECDSA

ECDH-RSA-DES-CBC3-SHA             

168

TLS1.2

DES

SHA

ECDH_RSA

ECDH-ECDSA-DES-CBC3-SHA          

168

TLS1.2

DES

SHA

ECDH_ECDSA

DES-CBC3-SHA                            

168

TLS1.2

DES

SHA

RSA

DES-CBC3-SHA                     

168

DTLS1

DES

SHA

RSA

ECDHE-RSA-AES128-GCM-SHA256      

128

TLS1.2

AES-GCM

SHA256

ECDHE_RSA

ECDHE-ECDSA-AES128-GCM-SHA256    

128

TLS1.2

AES-GCM

SHA256

ECDHE_ECDSA

ECDHE-RSA-AES128-SHA256        

128

TLS1.2

AES

SHA256

ECDHE_RSA

ECDHE-ECDSA-AES128-SHA256     

128

TLS1.2

AES

SHA256

ECDHE_ECDSA

ECDHE-RSA-AES128-CBC-SHA       

128

TLS1.2

AES

SHA

ECDHE_RSA

ECDHE-ECDSA-AES128-SHA        

128

TLS1.2

AES

SHA

ECDHE_ECDSA

DHE-DSS-AES128-GCM-SHA256      

128

TLS1.2

AES

SHA256

DHE/DSS

DHE-DSS-AES128-SHA256           

128

TLS1.2

AES

SHA256

DHE/DSS

DHE-DSS-AES128-SHA                 

128

TLS1.2

AES

SHA

DHE/DSS

DHE-DSS-AES128-SHA              

128

DTLS1

AES

SHA

DHE/DSS

ECDH-RSA-AES128-GCM-SHA256      

128

TLS1.2

AES-GCM

SHA256

ECDH_RSA

ECDH-ECDSA-AES128-GCM-SHA256    

128

TLS1.2

AES-GCM

SHA256

ECDH_ECDSA

ECDH-RSA-AES128-SHA256          

128

TLS1.2

AES

SHA256

ECDH_RSA

ECDH-ECDSA-AES128-SHA256        

128

TLS1.2

AES

SHA256

ECDH_ECDSA

ECDH-RSA-AES128-SHA            

128

TLS1.2

AES

SHA

ECDH_RSA

ECDH-ECDSA-AES128-SHA          

128

TLS1.2

AES

SHA

ECDH_ECDSA

AES128-GCM-SHA256          

128

TLS1.2

AES-GCM

SHA256

RSA

AES128-SHA256                       

128

TLS1.2

AES

SHA256

RSA

AES128-SHA                        

128

DTLS1

AES

SHA

RSA

DHE-DSS-CAMELLIA256-SHA         

256

TLS1.2

CAMELLIA

SHA

DHE/DSS 

CAMELLIA256-SHA                     

256

TLS1.2

CAMELLIA

SHA

RSA

DHE-DSS-CAMELLIA128-SHA           

128

TLS1.2

CAMELLIA

SHA

DHE/DSS

CAMELLIA128-SHA 

128

TLS1.2

CAMELLIA

SHA

RSA

COMPLETE List of Encryption Protocols Supported Effective September 4, 2019

The complete list of supported encryption methods after all changes have been implemented is as follows:

Suite

Bits

Protocol

CIPHER

MAC

Key Exchange

ECDHE-RSA-AES256-GCM-SHA384      

256

TLS1.2

AES-GCM

SHA384

ECDHE_RSA

ECDHE-ECDSA-AES256-GCM-SHA384    

256

TLS1.2

AES-GCM

SHA384

ECDHE_ECDSA

ECDHE-RSA-AES256-SHA384          

256

TLS1.2

AES

SHA384

ECDHE_RSA

ECDHE-ECDSA-AES256-SHA384       

256

TLS1.2

AES

SHA384

ECDHE_ECDSA

ECDHE-RSA-AES256-CBC-SHA        

256

TLS1.2

AES

SHA

ECDHE_RSA

ECDHE-ECDSA-AES256-SHA           

256

TLS1.2

AES

SHA

ECDHE_ECDSA

DHE-DSS-AES256-GCM-SHA384        

256

TLS1.2

AES-GCM

SHA384

DHE/DSS

DHE-DSS-AES256-SHA256            

256

TLS1.2

AES

SHA256

DHE/DSS

DHE-DSS-AES256-SHA               

256

TLS1.2

AES

SHA

DHE/DSS

DHE-DSS-AES256-SHA               

256

DTLS1

AES

SHA

DHE/DSS

ECDH-RSA-AES256-GCM-SHA384       

256

TLS1.2

AES-GCM

SHA384

ECDH_RSA

ECDH-ECDSA-AES256-GCM-SHA384    

256

TLS1.2

AES-GCM

SHA384

ECDH_ECDSA

ECDH-RSA-AES256-SHA384           

256

TLS1.2

AES

SHA384

ECDH_RSA

ECDH-ECDSA-AES256-SHA384         

256

TLS1.2

AES

SHA384

ECDH_ECDSA

ECDH-RSA-AES256-SHA              

256

TLS1.2

AES

SHA

ECDH_RSA

ECDH-ECDSA-AES256-SHA            

256

TLS1.2

AES

SHA

ECDH_ECDSA

AES256-GCM-SHA384               

256

TLS1.2

AES-GCM

SHA384

RSA

AES256-SHA256                        

256

TLS1.2

AES

SHA256

RSA

AES256-SHA                            

256

TLS1.2

AES

SHA

RSA

AES256-SHA                              

256

DTLS1

AES

SHA

RSA

ECDHE-RSA-DES-CBC3-SHA           

168

TLS1.2

DES

SHA

ECDHE_RSA

ECDHE-ECDSA-DES-CBC3-SHA         

168

TLS1.2

DES

SHA

ECDHE_ECDSA

ECDH-RSA-DES-CBC3-SHA             

168

TLS1.2

DES

SHA

ECDH_RSA

ECDH-ECDSA-DES-CBC3-SHA          

168

TLS1.2

DES

SHA

ECDH_ECDSA

DES-CBC3-SHA                            

168

TLS1.2

DES

SHA

RSA

DES-CBC3-SHA                     

168

DTLS1

DES

SHA

RSA

ECDHE-RSA-AES128-GCM-SHA256      

128

TLS1.2

AES-GCM

SHA256

ECDHE_RSA

ECDHE-ECDSA-AES128-GCM-SHA256    

128

TLS1.2

AES-GCM

SHA256

ECDHE_ECDSA

ECDHE-RSA-AES128-SHA256        

128

TLS1.2

AES

SHA256

ECDHE_RSA

ECDHE-ECDSA-AES128-SHA256     

128

TLS1.2

AES

SHA256

ECDHE_ECDSA

ECDHE-RSA-AES128-CBC-SHA       

128

TLS1.2

AES

SHA

ECDHE_RSA

ECDHE-ECDSA-AES128-SHA        

128

TLS1.2

AES

SHA

ECDHE_ECDSA

DHE-DSS-AES128-GCM-SHA256      

128

TLS1.2

AES

SHA256

DHE/DSS

DHE-DSS-AES128-SHA256           

128

TLS1.2

AES

SHA256

DHE/DSS

DHE-DSS-AES128-SHA                 

128

TLS1.2

AES

SHA

DHE/DSS

DHE-DSS-AES128-SHA              

128

DTLS1

AES

SHA

DHE/DSS

ECDH-RSA-AES128-GCM-SHA256      

128

TLS1.2

AES-GCM

SHA256

ECDH_RSA

ECDH-ECDSA-AES128-GCM-SHA256    

128

TLS1.2

AES-GCM

SHA256

ECDH_ECDSA

ECDH-RSA-AES128-SHA256          

128

TLS1.2

AES

SHA256

ECDH_RSA

ECDH-ECDSA-AES128-SHA256        

128

TLS1.2

AES

SHA256

ECDH_ECDSA

ECDH-RSA-AES128-SHA            

128

TLS1.2

AES

SHA

ECDH_RSA

ECDH-ECDSA-AES128-SHA          

128

TLS1.2

AES

SHA

ECDH_ECDSA

AES128-GCM-SHA256          

128

TLS1.2

AES-GCM

SHA256

RSA

AES128-SHA256                       

128

TLS1.2

AES

SHA256

RSA

AES128-SHA                            

128

TLS1.2

AES

SHA

RSA

AES128-SHA                        

128

DTLS1

AES

SHA

RSA

DHE-DSS-CAMELLIA256-SHA         

256

TLS1.2

CAMELLIA

SHA

DHE/DSS 

CAMELLIA256-SHA                     

256

TLS1.2

CAMELLIA

SHA

RSA

DHE-DSS-CAMELLIA128-SHA           

128

TLS1.2

CAMELLIA

SHA

DHE/DSS

CAMELLIA128-SHA 

128

TLS1.2

CAMELLIA

SHA

RSA