CloudControl API Encryption Standards and Migration Changes

Description

This article explains changes made to the API encryption standards used by the CloudControl API endpoints in 2019.

Background

The CloudControl API endpoints use HTTPS protocol to encrypt communications with the API endpoint. These encrypted sessions use a "cipher suite" - a combination of cryptographic algorithms that is negotiated between the CloudControl endpoint and the client connecting to it. During the negotiation process, the two endpoints agree on a cipher suite that is supported by both the client and endpoint. If there is no such suite in common, no SSL connection can be established and the client will not be able to communicate with the API endpoint.

Overview

NTT-CIS is in the process of migrating our CloudControl application infrastructure from our MCP 1.0 to our MCP 2.0 data center network configuration. As part of this process, we are making changes to the encryption ciphers supported by the CloudControl API endpoint. All modern web browsers support the ciphers we're moving to and few support the ciphers we are eliminating. However, clients utilizing the API may be relying on legacy SSL clients that do not support these ciphers and will need to make some updates to be compatible with our new API encryption standards. Specifically, clients need to ensure their integration supports at least one of the ciphers supported on the CloudControl API endpoint. Failure to handle a supported cipher will result in an inability to communicate with the API endpoint after the change.

The changes will be applied in two phases

Migration to MCP 2.0 Infrastructure (Phase 1) - This phase will introduce more modern, secure cipher support, including support for TLS 1.2. In addition, a few very old, insecure ciphers will no longer be supported.
1. NOTE: This phase is complete in all Geographic Regions as of 29 Apr 2019
Elimination of Support for Insecure Ciphers (Phase 2)- This phase will eliminate additional insecure ciphers, including all support for TLS 1.0 and 1.1.
1. NOTE: This phase is complete in all Geographic Regions. It was done in two separate events
  1. API URL's using the dimensiondata.com and mcp-services.net domains were updated on 06-Dec-2019
  2. All other API URL's were updated on 17-Dec-2019

API Encryption Changes Occurring With Migration to MCP 2.0 Infrastructure (Phase 1)

Effective the day of the migration, the following old, insecure “export” versions of encryption algorithms were no longer supported. It is unlikely these ciphers are required for any current API integrations as we saw little to no usage of these ciphers against the API endpoint prior to the change.

Encryption Protocols No Longer Supported Effective MCP 2.0 Migration

Suite	Bits	Protocol	Cipher	MAC	Key Exchange
EXP1024-DES-CBC-SHA	56	SSL3	DES	SHA	RSA
EXP1024-DES-CBC-SHA	56	TLS 1.0	DES	SHA	RSA
EXP1024-DES-CBC-SHA	56	DTLS1	DES	SHA	RSA
EXP1024-DES-CBC-SHA	56	TLS 1.1	DES	SHA	RSA
EXP1024-DES-CBC-SHA	56	TLS 1.2	DES	SHA	RSA
EXP1024-RC4-MD5	56	SSL3	RC4	MD5	RSA
EXP1024-RC4-MD5	56	TLS 1.0	RC4	MD5	RSA
EXP1024-RC4-MD5	56	TLS 1.1	RC4	MD5	RSA
EXP1024-RC4-MD5	56	TLS 1.2	RC4	MD5	RSA
EXP1024-RC4-SHA	56	SSL3	RC4	SHA	RSA
EXP1024-RC4-SHA	56	TLS 1.0	RC4	SHA	RSA
EXP1024-RC4-SHA	56	TLS 1.1	RC4	SHA	RSA
EXP1024-RC4-SHA	56	TLS 1.2	RC4	SHA	RSA
EXP-DES-CBC-SHA	40	SSL3	DES	SHA	RSA
EXP-DES-CBC-SHA	40	TLS 1.0	DES	SHA	RSA
EXP-DES-CBC-SHA	40	TLS 1.2	DES	SHA	RSA
EXP-RC4-MD5	40	SSL3	RC4	MD5	RSA
EXP-RC4-MD5	40	TLS 1.0	RC4	MD5	RSA
EXP-RC4-MD5	40	TLS 1.2	RC4	MD5	RSA

API Encryption Changes Occurring With Elimination of Support for Insecure Ciphers (Phase 2)

Effective phase 2 on the dates above, we ceased supporting the following set of protocols that are considered insecure by current security standards. Prior to the change, we did see some usage of these ciphers on the current endpoint so we STRONGLY RECOMMEND that all users review any API integrations and ensure these ciphers are not required so that the change does not adversely affect their usage of the API.

Encryption Protocols No Longer Supported Effective Elimination of Support for Insecure Ciphers

Suite	Bits	Protocol	CIPHER	MAC	Key Exchange
RC4-SHA	128	SSL3	RC4	SHA	RSA
RC4-SHA	128	TLS 1.0	RC4	SHA	RSA
RC4-SHA	128	TLS 1.1	RC4	SHA	RSA
RC4-SHA	128	TLS 1.2	RC4	SHA	RSA
RC4-SHA	128	SSL3	RC4	MD5	RSA
RC4-SHA	128	TLS 1.0	RC4	MD5	RSA
RC4-SHA	128	TLS 1.1	RC4	MD5	RSA
RC4-SHA	128	TLS 1.2	RC4	MD5	RSA
DES-CBC-SHA	64	SSL3	DES	SHA	RSA
DES-CBC-SHA	64	TLS 1.0	DES	SHA	RSA
EDE-CBC-SHA	64	SSL3	3DES	SHA	RSA
EDE-CBC-SHA	64	TLS 1.0	3DES	SHA	RSA
EDE-CBC-SHA	64	TLS 1.1	3DES	SHA	RSA
EDE-CBC-SHA	64	TLS 1.2	3DES	SHA	RSA
AES128-SHA	128	SSL3	AES	SHA	RSA
AES256-SHA	256	SSL3	AES	SHA	RSA
AES128-SHA	128	TLS 1.0	AES	SHA	RSA
AES128-SHA	128	TLS 1.1	AES	SHA	RSA

Current List of Supported API Encryption Ciphers And Protocols

The complete list of supported encryption methods now that both phases have been implemented is as follows:

Suite	Bits	Protocol	CIPHER	MAC	Key Exchange
ECDHE-RSA-AES256-GCM-SHA384	256	TLS1.2	AES-GCM	SHA384	ECDHE_RSA
ECDHE-ECDSA-AES256-GCM-SHA384	256	TLS1.2	AES-GCM	SHA384	ECDHE_ECDSA
ECDHE-RSA-AES256-SHA384	256	TLS1.2	AES	SHA384	ECDHE_RSA
ECDHE-ECDSA-AES256-SHA384	256	TLS1.2	AES	SHA384	ECDHE_ECDSA
ECDHE-RSA-AES256-CBC-SHA	256	TLS1.2	AES	SHA	ECDHE_RSA
ECDHE-ECDSA-AES256-SHA	256	TLS1.2	AES	SHA	ECDHE_ECDSA
DHE-DSS-AES256-GCM-SHA384	256	TLS1.2	AES-GCM	SHA384	DHE/DSS
DHE-DSS-AES256-SHA256	256	TLS1.2	AES	SHA256	DHE/DSS
DHE-DSS-AES256-SHA	256	TLS1.2	AES	SHA	DHE/DSS
DHE-DSS-AES256-SHA	256	DTLS1	AES	SHA	DHE/DSS
ECDH-RSA-AES256-GCM-SHA384	256	TLS1.2	AES-GCM	SHA384	ECDH_RSA
ECDH-ECDSA-AES256-GCM-SHA384	256	TLS1.2	AES-GCM	SHA384	ECDH_ECDSA
ECDH-RSA-AES256-SHA384	256	TLS1.2	AES	SHA384	ECDH_RSA
ECDH-ECDSA-AES256-SHA384	256	TLS1.2	AES	SHA384	ECDH_ECDSA
ECDH-RSA-AES256-SHA	256	TLS1.2	AES	SHA	ECDH_RSA
ECDH-ECDSA-AES256-SHA	256	TLS1.2	AES	SHA	ECDH_ECDSA
AES256-GCM-SHA384	256	TLS1.2	AES-GCM	SHA384	RSA
AES256-SHA256	256	TLS1.2	AES	SHA256	RSA
AES256-SHA	256	TLS1.2	AES	SHA	RSA
AES256-SHA	256	DTLS1	AES	SHA	RSA
ECDHE-RSA-DES-CBC3-SHA	168	TLS1.2	DES	SHA	ECDHE_RSA
ECDHE-ECDSA-DES-CBC3-SHA	168	TLS1.2	DES	SHA	ECDHE_ECDSA
ECDH-RSA-DES-CBC3-SHA	168	TLS1.2	DES	SHA	ECDH_RSA
ECDH-ECDSA-DES-CBC3-SHA	168	TLS1.2	DES	SHA	ECDH_ECDSA
DES-CBC3-SHA	168	TLS1.2	DES	SHA	RSA
DES-CBC3-SHA	168	DTLS1	DES	SHA	RSA
ECDHE-RSA-AES128-GCM-SHA256	128	TLS1.2	AES-GCM	SHA256	ECDHE_RSA
ECDHE-ECDSA-AES128-GCM-SHA256	128	TLS1.2	AES-GCM	SHA256	ECDHE_ECDSA
ECDHE-RSA-AES128-SHA256	128	TLS1.2	AES	SHA256	ECDHE_RSA
ECDHE-ECDSA-AES128-SHA256	128	TLS1.2	AES	SHA256	ECDHE_ECDSA
ECDHE-RSA-AES128-CBC-SHA	128	TLS1.2	AES	SHA	ECDHE_RSA
ECDHE-ECDSA-AES128-SHA	128	TLS1.2	AES	SHA	ECDHE_ECDSA
DHE-DSS-AES128-GCM-SHA256	128	TLS1.2	AES	SHA256	DHE/DSS
DHE-DSS-AES128-SHA256	128	TLS1.2	AES	SHA256	DHE/DSS
DHE-DSS-AES128-SHA	128	TLS1.2	AES	SHA	DHE/DSS
DHE-DSS-AES128-SHA	128	DTLS1	AES	SHA	DHE/DSS
ECDH-RSA-AES128-GCM-SHA256	128	TLS1.2	AES-GCM	SHA256	ECDH_RSA
ECDH-ECDSA-AES128-GCM-SHA256	128	TLS1.2	AES-GCM	SHA256	ECDH_ECDSA
ECDH-RSA-AES128-SHA256	128	TLS1.2	AES	SHA256	ECDH_RSA
ECDH-ECDSA-AES128-SHA256	128	TLS1.2	AES	SHA256	ECDH_ECDSA
ECDH-RSA-AES128-SHA	128	TLS1.2	AES	SHA	ECDH_RSA
ECDH-ECDSA-AES128-SHA	128	TLS1.2	AES	SHA	ECDH_ECDSA
AES128-GCM-SHA256	128	TLS1.2	AES-GCM	SHA256	RSA
AES128-SHA256	128	TLS1.2	AES	SHA256	RSA
AES128-SHA	128	TLS1.2	AES	SHA	RSA
AES128-SHA	128	DTLS1	AES	SHA	RSA
DHE-DSS-CAMELLIA256-SHA	256	TLS1.2	CAMELLIA	SHA	DHE/DSS
CAMELLIA256-SHA	256	TLS1.2	CAMELLIA	SHA	RSA
DHE-DSS-CAMELLIA128-SHA	128	TLS1.2	CAMELLIA	SHA	DHE/DSS
CAMELLIA128-SHA	128	TLS1.2	CAMELLIA	SHA	RSA

Content

Space Tools