- 30 Sep 2025
- 2 Minuten zu lesen
- Drucken
- DunkelLicht
- pdf
Security Update: Enhancing TLS Security at Whatfix
- Aktualisiert am 30 Sep 2025
- 2 Minuten zu lesen
- Drucken
- DunkelLicht
- pdf
Overview
As part of our continuous improvements in security and compliance, Whatfix will disable the TLS cipher suite (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
) on our domains (Whatfix.com and *.whatfix.com).
For more information about the Cipher suite, see Cipher suite.
Weak ciphers expose connections to attacks such as Lucky13, BEAST, and POODLE, and do not meet modern security standards.
Disabling such ciphers helps:
Protect user data confidentiality, integrity, and availability.
Ensure secure connections across all Whatfix services.
Strengthen compliance with industry standards (NIST, OWASP, PCI DSS).
This change ensures that strong, industry-recommended cipher suites are used to establish secure communication with Whatfix services.
What is changing?
Currently, Whatfix supports the cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
for backward compatibility in HTTPS connections. This cipher is outdated and does not align with modern security standards.
Weak cipher support will be disabled on 18 October 2025.
What is the impact of the change?
Legacy browsers or clients relying solely on weak ciphers cannot establish secure connections. You might see errors such as:
Cannot establish a secure connection
Unsupported protocol or cipher suite
Here’s the list of browsers that might be impacted:
Chrome: versions earlier than 48
Firefox: versions earlier than 52
Internet Explorer: versions 6 to 11
Edge: versions 12 to 18
Opera: versions earlier than 35
Safari macOS: versions earlier than 13
Safari iOS: versions earlier than 12
Modern browsers (Chrome, Firefox, Edge, Safari, and more) and clients that support strong TLS ciphers will continue to work without any issues.
What are the supported ciphers?
The following secure ciphers remain active:
# TLS 1.3
TLS_AES_128_GCM_SHA256 (0x1301)
TLS_AES_256_GCM_SHA384 (0x1302)
TLS_CHACHA20_POLY1305_SHA256 (0x1303)
# TLS 1.2
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
What should you do to ensure compatibility?
To maintain uninterrupted access and secure connections:
Update Browsers: Ensure you are using modern browsers that support strong TLS ciphers.
The following table lists browsers and their recommended versions:
Browser
Recommended Version or Later
Google Chrome
48+
Mozilla Firefox
47+
Microsoft Edge (Chromium)
79+
Safari
12+
Opera
36+
Test Custom Integrations: If you are using custom integrations, test them to confirm they support strong TLS ciphers.
How to test browser compatibility?
Step 1: Test for weak cipher
Open your browser and visit SSL Labs Client Test.
Under Protocol Features, in the Cipher Suites (in order of preferences) section, check which ciphers are supported.
Step 2: Understand your test results
When you run the SSL Labs Client Test, you might see different results depending on your browser’s supported ciphers.
Here’s what they mean:
Both strong and weak ciphers supported:
Your browser automatically uses strong ciphers for secure connections.
No action is required; you will not experience any disruption once a weak cipher is disabled.
Only weak ciphers supported (tagged as WEAK):
Your browser relies solely on outdated encryption methods.
Once weak ciphers are disabled, your browser fails to connect to Whatfix, causing disruption.
Step 3: Update or upgrade your browser
If your browser supports only weak ciphers, upgrade to a recommended version to ensure seamless access to Whatfix.