Changing our supported SSL/TLS ciphers

Hello,

We’re making updates to our SSL configuration which may affect how you connect to the FreeAgent API. We will be contacting you directly if we think you’re affected, but if you’d like peace of mind, we’d urge you to run a short of test your app against our API sandbox between now and the end of May.


To keep up with industry recommendations for website security, we’re removing support for some older SSL ciphers that are used to secure HTTPS connections to FreeAgent.

From today, Tuesday 21st April we’ve updated our API sandbox to remove support for a number of SSL ciphers (“CBC ciphers”) so you as API developers are able to test your apps against it. We’re aware of about eight apps that have sometimes been seen to use these ciphers and will make contact with the developers directly to ask them to re-test. We would urge all developers to run a short test to confirm that they can still connect to the API sandbox (a full re-test isn’t necessary.)

We expect almost all apps to continue working without any noticeable change, as only a very small percentage of our traffic uses those marked for removal. If your app does have trouble connecting to the API sandbox with SSL issues, upgrading your framework, runtime or libraries should resolve the issue. If you have any custom SSL configuration, ensure GCM ciphers are enabled - our full list of supported SSL ciphers is at the bottom of this post.

After Friday 29th May, we’ll be looking to remove these ciphers from our production API as well. If you have difficulty with this change, please do contact us at support@freeagent.com or on this forum.

Dominic Cleal
Operations Engineer at FreeAgent


Supported SSL ciphers from 29th May 2020 (under TLS v1.2):

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384

Ciphers to be removed from API sandbox and then production by 29th May 2020:

ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA384

The change proposed for after 29th May 2020 has been cancelled, so the supported SSL ciphers suites in production will remain as the list given above. The two ciphers that were scheduled to be removed will continue to be supported.