Supported Ciphers
We will phase out deprecated ciphers in two steps. We are constantly monitoring cipher usage and contact merchants individually if we see affected ciphers in active usage. Nevertheless, we kindly ask you to test your application for proper support of the used cipher suites.
Phase 1 will be implemented with the announced certificate renewal.
Test Environment: 14.06.2022
pay.sandbox.datatrans.com
admin.sandbox.datatrans.com
api.sandbox.datatrans.com
Productive environment: 12.07.2022 (Postponed until further notice)
pay.datatrans.com
admin.datatrans.com
api.datatrans.com
Phase 2 follows after reviewing the change in usage of the phase 1 cipher selection.
Test Environment: 09.08.2022 (Postponed until further notice)
pay.sandbox.datatrans.com
admin.sandbox.datatrans.com
api.sandbox.datatrans.com
Productive environment: 06.09.2022 (Postponed until further notice)
pay.datatrans.com
admin.datatrans.com
api.datatrans.com
In phase 1, we disable weak cipher block chaining (CBC) mode ciphers due to timing vulnerabilities. Additional reading: https://docs.microsoft.com/en-us/dotnet/standard/security/vulnerabilities-cbc-mode
In phase 2, we continue deprecating ciphers containing Diffie-Hellman key exchange (DHE). While not considered weak when used with a 2048 bit strong key, they are very resource intensive and phased out in favour of Elliptic-curve Diffie–Hellman (ECDH).
The following table shows which ciphers are active/enabled in which phase:
Current | Phase 1 | Phase 2 |
|---|---|---|
TLS_AES_256_GCM_SHA384 ( 0x1302) | TLS_AES_256_GCM_SHA384 ( 0x1302) | TLS_AES_256_GCM_SHA384 ( 0x1302) |
TLS_AES_128_GCM_SHA256 ( 0x1301) | TLS_AES_128_GCM_SHA256 ( 0x1301) | TLS_AES_128_GCM_SHA256 ( 0x1301) |
TLS_CHACHA20_POLY1305_SHA256 ( 0x1303) | TLS_CHACHA20_POLY1305_SHA256 ( 0x1303) | TLS_CHACHA20_POLY1305_SHA256 ( 0x1303) |
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ( 0xc030) | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ( 0xc030) | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ( 0xc030) |
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ( 0xc02f) | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ( 0xc02f) | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ( 0xc02f) |
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ( 0xcca8) | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ( 0xcca8) | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 ( 0xcca8) |
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 ( 0x9f) | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 ( 0x9f) | - |
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 ( 0x9e) | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 ( 0x9e) | - |
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 ( 0x6b) | - | - |
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 ( 0x67) | - | - |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ( 0xc028) | - | - |
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ( 0xc014) | - | - |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ( 0xc027) | - | - |
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ( 0xc013) | - | - |
Last modified 1yr ago