Description
This article explains changes being made to the API encryption standards used by the CloudControl API endpoint for both API 2 and API 0.9.
Background
The CloudControl API endpoints use HTTPS protocol to encrypt communications with the API endpoint. These encrypted sessions use a "cipher suite" - a combination of cryptographic algorithms that is negotiated between the CloudControl endpoint and the client connecting to it. During the negotiation process, the two endpoints agree on a cipher suite that is supported by both the client and endpoint. If there is no such suite in common, no SSL connection can be established and the client will not be able to communicate with the API endpoint.
Overview
NTT-CIS is in the process of migrating our CloudControl application infrastructure from our MCP 1.0 to our MCP 2.0 data center network configuration. As part of this process, we are making changes to the encryption ciphers supported by the CloudControl API endpoint. All modern web browsers support the ciphers we're moving to and few support the ciphers we are eliminating. However, clients utilizing the API may be relying on legacy SSL clients that do not support these ciphers and will need to make some updates to be compatible with our new API encryption standards. Specifically, clients need to ensure their integration supports at least one of the ciphers supported on the CloudCOntrol API endpoint. Failure to handle a supported cipher will result in an inability to communicate with the API endpoint after the change.
Some of these changes will occur on the date of migration while others are planned for December 2, 2019. This document outlines those encryption algorithm changes and currently planned schedule.
Migration Schedule
The matrix below defines the currently planned schedule for the API migrating from MCP 1.0 to 2.0 infrastructure. In advance of any implementation, specific maintenance announcements will be issued to notify users of the actual implementation date.
.
| Geographic Region | Status |
|---|---|
| Canada | Migration Done - effective |
| Asia-Pacific | Migration Done - effective |
| Europe | Migration Done - effective |
| Africa | Migration Done - effective |
| North America | Migration Done - effective |
| Australia | Migration Done - effective |
| Indonesia | PARTIALLY DONE - On MCP 2.0 Infrastructure but still supporting TLS 1.0/1.1 variants |
| Israel | PARTIALLY DONE - On MCP 2.0 Infrastructure but still supporting TLS 1.0/1.1 variants |
API Encryption Changes Occurring With Migration to MCP 2.0 Infrastructure
Encryption Protocols No Longer Supported Effective MCP 2.0 Migration
Effective the day of the migration, the following old, insecure “export” versions of encryption algorithms will no longer be supported. It is unlikely these ciphers are required for any current API integrations as we see little to no usage of these ciphers against the current API endpoint. However, we recommend you review your implementation to ensure this is the case.
Suite | Bits | Protocol | Cipher | MAC | Key Exchange |
EXP1024-DES-CBC-SHA | 56 | SSL3 | DES | SHA | RSA |
EXP1024-DES-CBC-SHA | 56 | TLS 1.0 | DES | SHA | RSA |
EXP1024-DES-CBC-SHA | 56 | DTLS1 | DES | SHA | RSA |
EXP1024-DES-CBC-SHA | 56 | TLS 1.1 | DES | SHA | RSA |
EXP1024-DES-CBC-SHA | 56 | TLS 1.2 | DES | SHA | RSA |
EXP1024-RC4-MD5 | 56 | SSL3 | RC4 | MD5 | RSA |
EXP1024-RC4-MD5 | 56 | TLS 1.0 | RC4 | MD5 | RSA |
EXP1024-RC4-MD5 | 56 | TLS 1.1 | RC4 | MD5 | RSA |
EXP1024-RC4-MD5 | 56 | TLS 1.2 | RC4 | MD5 | RSA |
EXP1024-RC4-SHA | 56 | SSL3 | RC4 | SHA | RSA |
EXP1024-RC4-SHA | 56 | TLS 1.0 | RC4 | SHA | RSA |
EXP1024-RC4-SHA | 56 | TLS 1.1 | RC4 | SHA | RSA |
EXP1024-RC4-SHA | 56 | TLS 1.2 | RC4 | SHA | RSA |
EXP-DES-CBC-SHA | 40 | SSL3 | DES | SHA | RSA |
EXP-DES-CBC-SHA | 40 | TLS 1.0 | DES | SHA | RSA |
EXP-DES-CBC-SHA | 40 | TLS 1.2 | DES | SHA | RSA |
EXP-RC4-MD5 | 40 | SSL3 | RC4 | MD5 | RSA |
EXP-RC4-MD5 | 40 | TLS 1.0 | RC4 | MD5 | RSA |
EXP-RC4-MD5 | 40 | TLS 1.2 | RC4 | MD5 | RSA |
Encryption Protocols No Longer Supported Effective December 2, 2019
In addition to the list above, we will cease supporting the following additional set of ciphers that are considered insecure by current standards effective December 2, 2019. We see some usage of these ciphers on the current endpoint so we want to provide our API users with time to review and update their integration to ensure they avoid use of these ciphers in advance of the change. We STRONGLY RECOMMEND that all users review any API integrations and ensure these ciphers are not required so that the December 2019 change does not adversely affect your usage of the API.
Suite | Bits | Protocol | CIPHER | MAC | Key Exchange |
RC4-SHA | 128 | SSL3 | RC4 | SHA | RSA |
RC4-SHA | 128 | TLS 1.0 | RC4 | SHA | RSA |
RC4-SHA | 128 | TLS 1.1 | RC4 | SHA | RSA |
RC4-SHA | 128 | TLS 1.2 | RC4 | SHA | RSA |
RC4-SHA | 128 | SSL3 | RC4 | MD5 | RSA |
RC4-SHA | 128 | TLS 1.0 | RC4 | MD5 | RSA |
RC4-SHA | 128 | TLS 1.1 | RC4 | MD5 | RSA |
RC4-SHA | 128 | TLS 1.2 | RC4 | MD5 | RSA |
DES-CBC-SHA | 64 | SSL3 | DES | SHA | RSA |
DES-CBC-SHA | 64 | TLS 1.0 | DES | SHA | RSA |
EDE-CBC-SHA | 64 | SSL3 | 3DES | SHA | RSA |
EDE-CBC-SHA | 64 | TLS 1.0 | 3DES | SHA | RSA |
EDE-CBC-SHA | 64 | TLS 1.1 | 3DES | SHA | RSA |
EDE-CBC-SHA | 64 | TLS 1.2 | 3DES | SHA | RSA |
AES128-SHA | 128 | SSL3 | AES | SHA | RSA |
AES256-SHA | 256 | SSL3 | AES | SHA | RSA |
AES128-SHA | 128 | TLS 1.0 | AES | SHA | RSA |
AES128-SHA | 128 | TLS 1.1 | AES | SHA | RSA |
New Encryption Protocols Supported Effective MCP 2.0 Migration
Effective the day of the change, we will also be adding support for an additional set of more secure ciphers. Where possible, we recommend API users configure their integrations to prefer these more secure standards as part of preparing for the change.
Suite | Bits | Protocol | CIPHER | MAC | Key Exchange |
ECDHE-RSA-AES256-GCM-SHA384 | 256 | TLS1.2 | AES-GCM | SHA384 | ECDHE_RSA |
ECDHE-ECDSA-AES256-GCM-SHA384 | 256 | TLS1.2 | AES-GCM | SHA384 | ECDHE_ECDSA |
ECDHE-RSA-AES256-SHA384 | 256 | TLS1.2 | AES | SHA384 | ECDHE_RSA |
ECDHE-ECDSA-AES256-SHA384 | 256 | TLS1.2 | AES | SHA384 | ECDHE_ECDSA |
ECDHE-RSA-AES256-CBC-SHA | 256 | TLS1.2 | AES | SHA | ECDHE_RSA |
ECDHE-ECDSA-AES256-SHA | 256 | TLS1.2 | AES | SHA | ECDHE_ECDSA |
DHE-DSS-AES256-GCM-SHA384 | 256 | TLS1.2 | AES-GCM | SHA384 | DHE/DSS |
DHE-DSS-AES256-SHA256 | 256 | TLS1.2 | AES | SHA256 | DHE/DSS |
DHE-DSS-AES256-SHA | 256 | TLS1.2 | AES | SHA | DHE/DSS |
DHE-DSS-AES256-SHA | 256 | DTLS1 | AES | SHA | DHE/DSS |
ECDH-RSA-AES256-GCM-SHA384 | 256 | TLS1.2 | AES-GCM | SHA384 | ECDH_RSA |
ECDH-ECDSA-AES256-GCM-SHA384 | 256 | TLS1.2 | AES-GCM | SHA384 | ECDH_ECDSA |
ECDH-RSA-AES256-SHA384 | 256 | TLS1.2 | AES | SHA384 | ECDH_RSA |
ECDH-ECDSA-AES256-SHA384 | 256 | TLS1.2 | AES | SHA384 | ECDH_ECDSA |
ECDH-RSA-AES256-SHA | 256 | TLS1.2 | AES | SHA | ECDH_RSA |
ECDH-ECDSA-AES256-SHA | 256 | TLS1.2 | AES | SHA | ECDH_ECDSA |
AES256-GCM-SHA384 | 256 | TLS1.2 | AES-GCM | SHA384 | RSA |
AES256-SHA256 | 256 | TLS1.2 | AES | SHA256 | RSA |
AES256-SHA | 256 | DTLS1 | AES | SHA | RSA |
ECDHE-RSA-DES-CBC3-SHA | 168 | TLS1.2 | DES | SHA | ECDHE_RSA |
ECDHE-ECDSA-DES-CBC3-SHA | 168 | TLS1.2 | DES | SHA | ECDHE_ECDSA |
ECDH-RSA-DES-CBC3-SHA | 168 | TLS1.2 | DES | SHA | ECDH_RSA |
ECDH-ECDSA-DES-CBC3-SHA | 168 | TLS1.2 | DES | SHA | ECDH_ECDSA |
DES-CBC3-SHA | 168 | TLS1.2 | DES | SHA | RSA |
DES-CBC3-SHA | 168 | DTLS1 | DES | SHA | RSA |
ECDHE-RSA-AES128-GCM-SHA256 | 128 | TLS1.2 | AES-GCM | SHA256 | ECDHE_RSA |
ECDHE-ECDSA-AES128-GCM-SHA256 | 128 | TLS1.2 | AES-GCM | SHA256 | ECDHE_ECDSA |
ECDHE-RSA-AES128-SHA256 | 128 | TLS1.2 | AES | SHA256 | ECDHE_RSA |
ECDHE-ECDSA-AES128-SHA256 | 128 | TLS1.2 | AES | SHA256 | ECDHE_ECDSA |
ECDHE-RSA-AES128-CBC-SHA | 128 | TLS1.2 | AES | SHA | ECDHE_RSA |
ECDHE-ECDSA-AES128-SHA | 128 | TLS1.2 | AES | SHA | ECDHE_ECDSA |
DHE-DSS-AES128-GCM-SHA256 | 128 | TLS1.2 | AES | SHA256 | DHE/DSS |
DHE-DSS-AES128-SHA256 | 128 | TLS1.2 | AES | SHA256 | DHE/DSS |
DHE-DSS-AES128-SHA | 128 | TLS1.2 | AES | SHA | DHE/DSS |
DHE-DSS-AES128-SHA | 128 | DTLS1 | AES | SHA | DHE/DSS |
ECDH-RSA-AES128-GCM-SHA256 | 128 | TLS1.2 | AES-GCM | SHA256 | ECDH_RSA |
ECDH-ECDSA-AES128-GCM-SHA256 | 128 | TLS1.2 | AES-GCM | SHA256 | ECDH_ECDSA |
ECDH-RSA-AES128-SHA256 | 128 | TLS1.2 | AES | SHA256 | ECDH_RSA |
ECDH-ECDSA-AES128-SHA256 | 128 | TLS1.2 | AES | SHA256 | ECDH_ECDSA |
ECDH-RSA-AES128-SHA | 128 | TLS1.2 | AES | SHA | ECDH_RSA |
ECDH-ECDSA-AES128-SHA | 128 | TLS1.2 | AES | SHA | ECDH_ECDSA |
AES128-GCM-SHA256 | 128 | TLS1.2 | AES-GCM | SHA256 | RSA |
AES128-SHA256 | 128 | TLS1.2 | AES | SHA256 | RSA |
AES128-SHA | 128 | DTLS1 | AES | SHA | RSA |
DHE-DSS-CAMELLIA256-SHA | 256 | TLS1.2 | CAMELLIA | SHA | DHE/DSS |
CAMELLIA256-SHA | 256 | TLS1.2 | CAMELLIA | SHA | RSA |
DHE-DSS-CAMELLIA128-SHA | 128 | TLS1.2 | CAMELLIA | SHA | DHE/DSS |
CAMELLIA128-SHA | 128 | TLS1.2 | CAMELLIA | SHA | RSA |
COMPLETE List of Encryption Protocols Supported Effective December 2, 2019
The complete list of supported encryption methods after all changes have been implemented is as follows:
Suite | Bits | Protocol | CIPHER | MAC | Key Exchange |
ECDHE-RSA-AES256-GCM-SHA384 | 256 | TLS1.2 | AES-GCM | SHA384 | ECDHE_RSA |
ECDHE-ECDSA-AES256-GCM-SHA384 | 256 | TLS1.2 | AES-GCM | SHA384 | ECDHE_ECDSA |
ECDHE-RSA-AES256-SHA384 | 256 | TLS1.2 | AES | SHA384 | ECDHE_RSA |
ECDHE-ECDSA-AES256-SHA384 | 256 | TLS1.2 | AES | SHA384 | ECDHE_ECDSA |
ECDHE-RSA-AES256-CBC-SHA | 256 | TLS1.2 | AES | SHA | ECDHE_RSA |
ECDHE-ECDSA-AES256-SHA | 256 | TLS1.2 | AES | SHA | ECDHE_ECDSA |
DHE-DSS-AES256-GCM-SHA384 | 256 | TLS1.2 | AES-GCM | SHA384 | DHE/DSS |
DHE-DSS-AES256-SHA256 | 256 | TLS1.2 | AES | SHA256 | DHE/DSS |
DHE-DSS-AES256-SHA | 256 | TLS1.2 | AES | SHA | DHE/DSS |
DHE-DSS-AES256-SHA | 256 | DTLS1 | AES | SHA | DHE/DSS |
ECDH-RSA-AES256-GCM-SHA384 | 256 | TLS1.2 | AES-GCM | SHA384 | ECDH_RSA |
ECDH-ECDSA-AES256-GCM-SHA384 | 256 | TLS1.2 | AES-GCM | SHA384 | ECDH_ECDSA |
ECDH-RSA-AES256-SHA384 | 256 | TLS1.2 | AES | SHA384 | ECDH_RSA |
ECDH-ECDSA-AES256-SHA384 | 256 | TLS1.2 | AES | SHA384 | ECDH_ECDSA |
ECDH-RSA-AES256-SHA | 256 | TLS1.2 | AES | SHA | ECDH_RSA |
ECDH-ECDSA-AES256-SHA | 256 | TLS1.2 | AES | SHA | ECDH_ECDSA |
AES256-GCM-SHA384 | 256 | TLS1.2 | AES-GCM | SHA384 | RSA |
AES256-SHA256 | 256 | TLS1.2 | AES | SHA256 | RSA |
AES256-SHA | 256 | TLS1.2 | AES | SHA | RSA |
AES256-SHA | 256 | DTLS1 | AES | SHA | RSA |
ECDHE-RSA-DES-CBC3-SHA | 168 | TLS1.2 | DES | SHA | ECDHE_RSA |
ECDHE-ECDSA-DES-CBC3-SHA | 168 | TLS1.2 | DES | SHA | ECDHE_ECDSA |
ECDH-RSA-DES-CBC3-SHA | 168 | TLS1.2 | DES | SHA | ECDH_RSA |
ECDH-ECDSA-DES-CBC3-SHA | 168 | TLS1.2 | DES | SHA | ECDH_ECDSA |
DES-CBC3-SHA | 168 | TLS1.2 | DES | SHA | RSA |
DES-CBC3-SHA | 168 | DTLS1 | DES | SHA | RSA |
ECDHE-RSA-AES128-GCM-SHA256 | 128 | TLS1.2 | AES-GCM | SHA256 | ECDHE_RSA |
ECDHE-ECDSA-AES128-GCM-SHA256 | 128 | TLS1.2 | AES-GCM | SHA256 | ECDHE_ECDSA |
ECDHE-RSA-AES128-SHA256 | 128 | TLS1.2 | AES | SHA256 | ECDHE_RSA |
ECDHE-ECDSA-AES128-SHA256 | 128 | TLS1.2 | AES | SHA256 | ECDHE_ECDSA |
ECDHE-RSA-AES128-CBC-SHA | 128 | TLS1.2 | AES | SHA | ECDHE_RSA |
ECDHE-ECDSA-AES128-SHA | 128 | TLS1.2 | AES | SHA | ECDHE_ECDSA |
DHE-DSS-AES128-GCM-SHA256 | 128 | TLS1.2 | AES | SHA256 | DHE/DSS |
DHE-DSS-AES128-SHA256 | 128 | TLS1.2 | AES | SHA256 | DHE/DSS |
DHE-DSS-AES128-SHA | 128 | TLS1.2 | AES | SHA | DHE/DSS |
DHE-DSS-AES128-SHA | 128 | DTLS1 | AES | SHA | DHE/DSS |
ECDH-RSA-AES128-GCM-SHA256 | 128 | TLS1.2 | AES-GCM | SHA256 | ECDH_RSA |
ECDH-ECDSA-AES128-GCM-SHA256 | 128 | TLS1.2 | AES-GCM | SHA256 | ECDH_ECDSA |
ECDH-RSA-AES128-SHA256 | 128 | TLS1.2 | AES | SHA256 | ECDH_RSA |
ECDH-ECDSA-AES128-SHA256 | 128 | TLS1.2 | AES | SHA256 | ECDH_ECDSA |
ECDH-RSA-AES128-SHA | 128 | TLS1.2 | AES | SHA | ECDH_RSA |
ECDH-ECDSA-AES128-SHA | 128 | TLS1.2 | AES | SHA | ECDH_ECDSA |
AES128-GCM-SHA256 | 128 | TLS1.2 | AES-GCM | SHA256 | RSA |
AES128-SHA256 | 128 | TLS1.2 | AES | SHA256 | RSA |
AES128-SHA | 128 | TLS1.2 | AES | SHA | RSA |
AES128-SHA | 128 | DTLS1 | AES | SHA | RSA |
DHE-DSS-CAMELLIA256-SHA | 256 | TLS1.2 | CAMELLIA | SHA | DHE/DSS |
CAMELLIA256-SHA | 256 | TLS1.2 | CAMELLIA | SHA | RSA |
DHE-DSS-CAMELLIA128-SHA | 128 | TLS1.2 | CAMELLIA | SHA | DHE/DSS |
CAMELLIA128-SHA | 128 | TLS1.2 | CAMELLIA | SHA | RSA |