Description

This article explains changes made to the API encryption standards used by the CloudControl API endpoints in 2019.

Background

The CloudControl API endpoints use HTTPS protocol to encrypt communications with the API endpoint. These encrypted sessions use a "cipher suite" - a combination of cryptographic algorithms that is negotiated between the CloudControl endpoint and the client connecting to it. During the negotiation process, the two endpoints agree on a cipher suite that is supported by both the client and endpoint. If there is no such suite in common, no SSL connection can be established and the client will not be able to communicate with the API endpoint.

Overview

NTT-CIS is in the process of migrating our CloudControl application infrastructure from our MCP 1.0 to our MCP 2.0 data center network configuration. As part of this process, we are making changes to the encryption ciphers supported by the CloudControl API endpoint. All modern web browsers support the ciphers we're moving to and few support the ciphers we are eliminating. However, clients utilizing the API may be relying on legacy SSL clients that do not support these ciphers and will need to make some updates to be compatible with our new API encryption standards. Specifically, clients need to ensure their integration supports at least one of the ciphers supported on the CloudControl API endpoint. Failure to handle a supported cipher will result in an inability to communicate with the API endpoint after the change.

The changes will be applied in two phases

  1. Migration to MCP 2.0 Infrastructure (Phase 1) - This phase will introduce more modern, secure cipher support, including support for TLS 1.2. In addition, a few very old, insecure ciphers will no longer be supported.
    1. NOTE: This phase is complete in all Geographic Regions as of 
  2. Elimination of Support for Insecure Ciphers (Phase 2)- This phase will eliminate additional insecure ciphers, including all support for TLS 1.0 and 1.1.
    1. NOTE: This phase is complete in all Geographic Regions. It was done in two separate events
      1. API URL's using the dimensiondata.com and mcp-services.net domains were updated on 06-Dec-2019
      2. All other API URL's were updated on 17-Dec-2019 

API Encryption Changes Occurring With Migration to MCP 2.0 Infrastructure (Phase 1)

Effective the day of the migration, the following old, insecure “export” versions of encryption algorithms were no longer supported. It is unlikely these ciphers are required for any current API integrations as we saw little to no usage of these ciphers against the API endpoint prior to the change. 

Encryption Protocols No Longer Supported Effective MCP 2.0 Migration

Suite

Bits

Protocol

Cipher

MAC

Key Exchange

EXP1024-DES-CBC-SHA

56

SSL3

DES

SHA

RSA

EXP1024-DES-CBC-SHA

56

TLS 1.0

DES

SHA

RSA

EXP1024-DES-CBC-SHA

56

DTLS1

DES

SHA

RSA

EXP1024-DES-CBC-SHA

56

TLS 1.1

DES

SHA

RSA

EXP1024-DES-CBC-SHA

56

TLS 1.2

DES

SHA

RSA

EXP1024-RC4-MD5

56

SSL3

RC4

MD5

RSA

EXP1024-RC4-MD5

56

TLS 1.0

RC4

MD5

RSA

EXP1024-RC4-MD5

56

TLS 1.1

RC4

MD5

RSA

EXP1024-RC4-MD5

56

TLS 1.2

RC4

MD5

RSA

EXP1024-RC4-SHA

56

SSL3

RC4

SHA

RSA

EXP1024-RC4-SHA

56

TLS 1.0

RC4

SHA

RSA

EXP1024-RC4-SHA

56

TLS 1.1

RC4

SHA

RSA

EXP1024-RC4-SHA

56

TLS 1.2

RC4

SHA

RSA

EXP-DES-CBC-SHA

40

SSL3

DES

SHA

RSA

EXP-DES-CBC-SHA

40

TLS 1.0

DES

SHA

RSA

EXP-DES-CBC-SHA

40

TLS 1.2

DES

SHA

RSA

EXP-RC4-MD5

40

SSL3

RC4

MD5

RSA

EXP-RC4-MD5

40

TLS 1.0

RC4

MD5

RSA

EXP-RC4-MD5

40

TLS 1.2

RC4

MD5

RSA 

API Encryption Changes Occurring With Elimination of Support for Insecure Ciphers (Phase 2)

Effective phase 2 on the dates above, we ceased supporting the following set of protocols that are considered insecure by current security standards. Prior to the change, we did see some usage of these ciphers on the current endpoint so we STRONGLY RECOMMEND that all users review any API integrations and ensure these ciphers are not required so that the change does not adversely affect their usage of the API. 

Encryption Protocols No Longer Supported Effective Elimination of Support for Insecure Ciphers

Suite

Bits

Protocol

CIPHER

MAC

Key Exchange

RC4-SHA

128

SSL3

RC4

SHA

RSA

RC4-SHA

128

TLS 1.0

RC4

SHA

RSA

RC4-SHA

128

TLS 1.1

RC4

SHA

RSA

RC4-SHA

128

TLS 1.2

RC4

SHA

RSA

RC4-SHA

128

SSL3

RC4

MD5

RSA

RC4-SHA

128

TLS 1.0

RC4

MD5

RSA

RC4-SHA

128

TLS 1.1

RC4

MD5

RSA

RC4-SHA

128

TLS 1.2

RC4

MD5

RSA

DES-CBC-SHA

64

SSL3

DES

SHA

RSA

DES-CBC-SHA

64

TLS 1.0

DES

SHA

RSA

EDE-CBC-SHA

64

SSL3

3DES

SHA

RSA

EDE-CBC-SHA

64

TLS 1.0

3DES

SHA

RSA

EDE-CBC-SHA

64

TLS 1.1

3DES

SHA

RSA

EDE-CBC-SHA

64

TLS 1.2

3DES

SHA

RSA

AES128-SHA

128

SSL3

AES

SHA

RSA

AES256-SHA

256

SSL3

AES

SHA

RSA

AES128-SHA

128

TLS 1.0

AES

SHA

RSA

AES128-SHA

128

TLS 1.1 

AES

SHA

RSA

Current List of Supported API Encryption Ciphers And Protocols

The complete list of supported encryption methods now that both phases have been implemented is as follows:

Suite

Bits

Protocol

CIPHER

MAC

Key Exchange

ECDHE-RSA-AES256-GCM-SHA384      

256

TLS1.2

AES-GCM

SHA384

ECDHE_RSA

ECDHE-ECDSA-AES256-GCM-SHA384    

256

TLS1.2

AES-GCM

SHA384

ECDHE_ECDSA

ECDHE-RSA-AES256-SHA384          

256

TLS1.2

AES

SHA384

ECDHE_RSA

ECDHE-ECDSA-AES256-SHA384       

256

TLS1.2

AES

SHA384

ECDHE_ECDSA

ECDHE-RSA-AES256-CBC-SHA        

256

TLS1.2

AES

SHA

ECDHE_RSA

ECDHE-ECDSA-AES256-SHA           

256

TLS1.2

AES

SHA

ECDHE_ECDSA

DHE-DSS-AES256-GCM-SHA384        

256

TLS1.2

AES-GCM

SHA384

DHE/DSS

DHE-DSS-AES256-SHA256            

256

TLS1.2

AES

SHA256

DHE/DSS

DHE-DSS-AES256-SHA               

256

TLS1.2

AES

SHA

DHE/DSS

DHE-DSS-AES256-SHA               

256

DTLS1

AES

SHA

DHE/DSS

ECDH-RSA-AES256-GCM-SHA384       

256

TLS1.2

AES-GCM

SHA384

ECDH_RSA

ECDH-ECDSA-AES256-GCM-SHA384    

256

TLS1.2

AES-GCM

SHA384

ECDH_ECDSA

ECDH-RSA-AES256-SHA384           

256

TLS1.2

AES

SHA384

ECDH_RSA

ECDH-ECDSA-AES256-SHA384         

256

TLS1.2

AES

SHA384

ECDH_ECDSA

ECDH-RSA-AES256-SHA              

256

TLS1.2

AES

SHA

ECDH_RSA

ECDH-ECDSA-AES256-SHA            

256

TLS1.2

AES

SHA

ECDH_ECDSA

AES256-GCM-SHA384               

256

TLS1.2

AES-GCM

SHA384

RSA

AES256-SHA256                        

256

TLS1.2

AES

SHA256

RSA

AES256-SHA                            

256

TLS1.2

AES

SHA

RSA

AES256-SHA                              

256

DTLS1

AES

SHA

RSA

ECDHE-RSA-DES-CBC3-SHA           

168

TLS1.2

DES

SHA

ECDHE_RSA

ECDHE-ECDSA-DES-CBC3-SHA         

168

TLS1.2

DES

SHA

ECDHE_ECDSA

ECDH-RSA-DES-CBC3-SHA             

168

TLS1.2

DES

SHA

ECDH_RSA

ECDH-ECDSA-DES-CBC3-SHA          

168

TLS1.2

DES

SHA

ECDH_ECDSA

DES-CBC3-SHA                            

168

TLS1.2

DES

SHA

RSA

DES-CBC3-SHA                     

168

DTLS1

DES

SHA

RSA

ECDHE-RSA-AES128-GCM-SHA256      

128

TLS1.2

AES-GCM

SHA256

ECDHE_RSA

ECDHE-ECDSA-AES128-GCM-SHA256    

128

TLS1.2

AES-GCM

SHA256

ECDHE_ECDSA

ECDHE-RSA-AES128-SHA256        

128

TLS1.2

AES

SHA256

ECDHE_RSA

ECDHE-ECDSA-AES128-SHA256     

128

TLS1.2

AES

SHA256

ECDHE_ECDSA

ECDHE-RSA-AES128-CBC-SHA       

128

TLS1.2

AES

SHA

ECDHE_RSA

ECDHE-ECDSA-AES128-SHA        

128

TLS1.2

AES

SHA

ECDHE_ECDSA

DHE-DSS-AES128-GCM-SHA256      

128

TLS1.2

AES

SHA256

DHE/DSS

DHE-DSS-AES128-SHA256           

128

TLS1.2

AES

SHA256

DHE/DSS

DHE-DSS-AES128-SHA                 

128

TLS1.2

AES

SHA

DHE/DSS

DHE-DSS-AES128-SHA              

128

DTLS1

AES

SHA

DHE/DSS

ECDH-RSA-AES128-GCM-SHA256      

128

TLS1.2

AES-GCM

SHA256

ECDH_RSA

ECDH-ECDSA-AES128-GCM-SHA256    

128

TLS1.2

AES-GCM

SHA256

ECDH_ECDSA

ECDH-RSA-AES128-SHA256          

128

TLS1.2

AES

SHA256

ECDH_RSA

ECDH-ECDSA-AES128-SHA256        

128

TLS1.2

AES

SHA256

ECDH_ECDSA

ECDH-RSA-AES128-SHA            

128

TLS1.2

AES

SHA

ECDH_RSA

ECDH-ECDSA-AES128-SHA          

128

TLS1.2

AES

SHA

ECDH_ECDSA

AES128-GCM-SHA256          

128

TLS1.2

AES-GCM

SHA256

RSA

AES128-SHA256                       

128

TLS1.2

AES

SHA256

RSA

AES128-SHA                            

128

TLS1.2

AES

SHA

RSA

AES128-SHA                        

128

DTLS1

AES

SHA

RSA

DHE-DSS-CAMELLIA256-SHA         

256

TLS1.2

CAMELLIA

SHA

DHE/DSS 

CAMELLIA256-SHA                     

256

TLS1.2

CAMELLIA

SHA

RSA

DHE-DSS-CAMELLIA128-SHA           

128

TLS1.2

CAMELLIA

SHA

DHE/DSS

CAMELLIA128-SHA 

128

TLS1.2

CAMELLIA

SHA

RSA