Announcements

Stay up to date with the latest enhancements to Frisbii. Here you'll find new features and improvements that make managing your billing and payments easier and more efficient. Subscribe today so you never miss an update—and don't forget, your feedback and feature suggestions help us improve too!

8 months ago

API Deprecation of Insecure Ciphers

Billwerk+ will deprecate support for insecure cipher suites. Affected merchants will need to upgrade their TLS library.

DEADLINE: January 6, 2025

If you are using an insecure cipher suite and do not make this update, you’ll no longer be able to use the Billwerk+ API from the deprecation date onward. Notice that is is quite unlikely that you are affected by this change, as only old HTTP client libraries does not support newer more secure ciphers.

Which cipher suites are being deprecated

On or after December 3, 2024, we will be deprecating the following two cipher suites: 

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)

This means that any client with a TLS library that uses one of these cipher suites, and does not support any of the cipher suites that will continue to be supported, will no longer be able to connect to the Billwerk+ API.

Why we are doing this

The cipher suites that we’re deprecating have a historical track record of security weaknesses. They're still vulnerable to attacks that may enable a bad actor to decrypt data. We consider this to be an unacceptable security risk, especially given our commitment to keeping our customers’ data secure.

What happens if a deprecated cipher suite is continued to be used?

If you continue to use one of the cipher suites we’re deprecating, you won’t be able to access the API. HTTP client libraries will fail to establish a TLS connection to our API. 

What cipher suites will be supported after deprecation?

We will continue to support the following cipher suites after deprecation:

  • TLS 1.3 (suites in server-preferred order)
    TLS_AES_128_GCM_SHA256 (0x1301)
    TLS_AES_256_GCM_SHA384 (0x1302)
    TLS_CHACHA20_POLY1305_SHA256 (0x1303)
  • TLS 1.2 (suites in server-preferred order)
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

What action should I take so that I’m not affected?

If you have a direct API integration with the Billwerk+ API:

  • Ensure the TLS library you’re using supports one of the ciphers listed above

How can I test to ensure I’m using a supported cipher suite?

You can test by making a GET request to the following endpoint that only supports the cipher suites that will still be available after the deprecation of insecure suites:

https://staging-api.reepay.com/info/

If you receive a 200 OK response with JSON content, your client library is not affected by the change.

Example request with Curl

$ curl https://staging-api.reepay.com/info/
{"app.name": "CoreApiApp", ...}
Avatar of authorOle Borup