Important: Security update within Catalog; action required!

KataKeri
Instructure
Instructure
‎05-07-2024 09:39 AM
1
2951

Canvas.png
UPDATE II. (June 27th, 2024)

Based on the consultations with our Security Team we will keep supporting TLS 1.2 strong ciphers, but we advise to migrate to TLS 1.3 and let your users know about it so they can still access your sites. 


UPDATE I. (May 8th, 2024)

This came out of a recent penetration test from our Security Team. This is not a security breach or such, this is a prevention - impact occurs if they are using outdated certificates. Since we won't accept the outdated certificates after June 3rd, it can break integrations - to prevent this we want to make sure Catalog users have enough time to test this in beta.

If you are using our Catalog public API with a 3rd party tool, please check the certificates/configuration between the two services (your 3rd party tool and Catalog API).

---

May 7th, 2024

Occasionally, unauthorised individuals may try to decode Secure Sockets Layer/Transport Layer Security (SSL/TLS) traffic between your server and our servers. This happens when weaker encryption methods are used during secure communication (SSL/TLS). To enhance the security of your Catalog instance, it's advisable to only permit the use of robust encryption methods on your web server.

After the fix is released to production (June 3rd, 2024), Catalog will no longer accept the following ciphers:

TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003C)

TLS_RSA_WITH_AES_128_CBC_SHA (0x002F)

TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003D)

TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027)

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xC028)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014)

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009C)

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009D

Your security is important to us. 

Please verify that the SSL/TLS certificates used in your server-server communication (for example, using Catalog API) are up to date. Use the TLS 1.3 certificate that was released and standardised in 2018.

For more details, please review the API and CI Change Log.

This change is now available in Catalog beta. 

1 Comment