1. Documentation
  3. Security Alerts
  5. End of support for cipher…

End of support for cipher suites using the CBC mode

Modified on

On July 19th, 2023, at 9am PST, Juniper Mist will end support of cipher suites using the Cipher Block Chaining (CBC) mode of operation on our cloud endpoints. These cipher suites are known to be susceptible to attacks such as padding oracle attack, which can lead to data leaks and other security issues.

We will hold a test deprecation on July 6th, 2023, at 10:00am PST to disable the CBC ciphers.  This test will be in effect for 24 hours so you can test your systems for impact.

A cipher suite is a cryptographic algorithm set to secure network communications. CBC is a mode of operation for block ciphers commonly used in Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. Therefore, modern security standards recommend using more secure cipher suites, such as Galois/Counter Mode (GCM).

Impact of this change

This change affects the systems and software that rely on the following cipher suites to interact with Juniper Mist API and Mist Dashboard / Admin UI:

The following CBC ciphers will end support on Juniper Mist with this change:

  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-SHA384
  • ECDHE-RSA-AES256-SHA384

 

The following ciphers are supported for TLS 1.2+ protocols (Server Preferred Order):

  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384

Preventive action

Browser support

Most browsers support modern/strong ciphers, such as Galois/Counter Mode (GCM) ciphers, including Mozilla Firefox, Google Chrome, Safari, and Microsoft Edge. We recommend updating your browser to its most current version.

Applications and API integrations support

If applications or API integrations are affected by this change, enable supported ciphers, such as GCM ciphers, in those applications and update API integrations before July 19th, 2023, 9:00 am PST.

To help you prepare for this change, Juniper Mist recommends the following actions:

  • If your systems and software do not support modern cipher suites (such as GCM), upgrade them, or contact your vendor for support.
  • Test your systems and software with our API server that already supports modern cipher suites. This helps you identify and resolve compatibility issues before the change occurs.
  • We will implement a test deprecation on July 6th, 2023, at 10:00am PST to disable the CBC ciphers. This test will be in effect for 24 hours so you can test your systems for impact.
  • Reach out to support@mist.com if you have any questions or concerns.