Removing weak cipher support in TLS 1.2

This article explains a security enhancement we are planning to perform on the monday.com platform.

We currently support transport encrypted using TLS 1.3 and TLS 1.2. TLS 1.2 contains encryption methods (also known as ciphers) that, with the advance in computing power, are today considered weak. We plan to remove the support for those ciphers in early 2023.

Support for TLS 1.3 will remain unchanged.

What systems will be affected?

This change will affect customers who have server components hosted on Windows Server 2012 R2, Windows 8.1, or earlier.

How can I test if I am affected?

Open the terminal or shell and run the following commands:

Linux or Mac: curl -i https://monday-ciphers-test.com
Windows Powershell: Invoke-WebRequest -URI https://monday-ciphers-test.com
Windows shell: explorer https://monday-ciphers-test.com

What ciphers can I use?

These are the TLS 1.2 ciphers that we will support:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
• OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

The following TLS 1.2 weak ciphers will not be supported:

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
• TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
• TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
• TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
• TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
• TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
• TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)

How can I get help?

If you have any questions about this change, you can post them in our Developers' Community.