From the 6th to the 8th of April 2021 Ping will undertake work on our PingOne/PingID endpoints to tighten our security posture. The changes will be rolled through each region outside of core hours.
Change details:
Based on cryptographic research it is no longer considered safe to decrypt data with the Cipher-Block-Chaining (CBC) mode of symmetric encryption algorithms. CBC cipher modes in context of the TLS 1.2 protocol are now obsolete and need to be sunset to protect our customers.
The ciphers that will be removed from operation are:
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_3DES_EDE_CBC_SHA
Our customers, especially those on the "PingOne SSO for SaaS Apps" platform are recommended to confirm their applications are compatible with GCM ciphers. For reference; Oracle Java 7 must be on update 191 as a minimum, all versions and updates of Java 8 and 11 are compatible. We always recommend clients are on the latest Java update to maintain forward compatibility. For other development platforms please refer to their documentation. No modern, supported, browser will be impacted by this change.
• Action for customers; please confirm your platform is able to negotiate using modern GCM Ciphers for TLSv1.2+.
• The changes will be progressively rolled through the services listed.
• Updates to each region will be targeted to outside of each regions core hours.
If you have any questions, comments or concerns, please raise a case via the support portal at
https://support.pingidentity.com
Posted on
Mar 2, 16:48 UTC