Changes planned on secure connections to bpost webservices
Scope of the changes
1. SSLv3 will not be longer supported.
SSLv3 protocol will be disabled. TLS 1.0, TLS 1.1 and TLS 1.2 are already and will remain supported by bpost secure web infrastructure.
Impact: Clients only supporting SSLv3 protocol will be unable to connect after the change.
2. Weak cipher suites will not be longer supported.
Weak ciphers such as those using MD5, RC2, RC4, short key lengths or Export (EXP) level will not be anymore supported. The ciphers listed below are already and will remain supported:
• TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)
• TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
• TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)
• TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
Impact: Clients only supporting weak ciphers will be unable to connect after the change.
3. New root CA will sign our bpost certificates..
The server certificates presented by bpost secure web infrastructure will be signed by a different Root CA: DigiCert instead of Certipost. The new root CA is:
DigiCert High Assurance EV Root CA Fingerprint: 5fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25
RSA 2048 bits (e 65537) / SHA1withRSA
In case the root CA is not included in the CA store of your systems used to connect to bpost, you need to install it. You can download the “DigiCert High Assurance EV Root CA” Root CA certificate from this link:
Impact: Clients not trusting the above mentioned certificate and enforcing SSL-server-certificate checks will be unable to connect after the change.
Execution of these changes is planned on Thursday 19th of March at 7h00 AM.
Please ask your ICT technical support to verify if your systems (servers, user devices) connecting to bpost websites or web services will be impacted by these changes. In case of impact please remediate before Thursday 19th of March at 7h00 AM.