Security Update: Enhancing TLS Security at Whatfix

Overview

As part of our continuous improvements in security and compliance, Whatfix will disable the TLS cipher suite (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) on our domains (Whatfix.com and *.whatfix.com).

For more information about the Cipher suite, see Cipher suite.

Weak ciphers expose connections to attacks such as Lucky13, BEAST, and POODLE, and do not meet modern security standards.  

Disabling such ciphers helps:

• Protect user data confidentiality, integrity, and availability.

• Ensure secure connections across all Whatfix services.

• Strengthen compliance with industry standards (NIST, OWASP, PCI DSS).

This change ensures that strong, industry-recommended cipher suites are used to establish secure communication with Whatfix services.

What is changing?

Currently, Whatfix supports the cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for backward compatibility in HTTPS connections. This cipher is outdated and does not align with modern security standards.

Weak cipher support will be disabled on 18 October 2025.

What is the impact of the change?

• Legacy browsers or clients relying solely on weak ciphers cannot establish secure connections. You might see errors such as:

  • Cannot establish a secure connection

  • Unsupported protocol or cipher suite

  Here’s the list of browsers that might be impacted:

  • Chrome: versions earlier than 48

  • Firefox: versions earlier than 52

  • Internet Explorer: versions 6 to 11

  • Edge: versions 12 to 18

  • Opera: versions earlier than 35

  • Safari macOS: versions earlier than 13

  • Safari iOS: versions earlier than 12

    
    

• Modern browsers (Chrome, Firefox, Edge, Safari, and more) and clients that support strong TLS ciphers will continue to work without any issues.

What are the supported ciphers?

The following secure ciphers remain active:

• # TLS 1.3

  • TLS_AES_128_GCM_SHA256 (0x1301)  

  • TLS_AES_256_GCM_SHA384 (0x1302)  

  • TLS_CHACHA20_POLY1305_SHA256 (0x1303)  
    

• # TLS 1.2

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)  

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)

What should you do to ensure compatibility?

To maintain uninterrupted access and secure connections:

• Update Browsers: Ensure you are using modern browsers that support strong TLS ciphers.

  The following table lists browsers and their recommended versions:

  Browser	Recommended Version or Later
  Google Chrome	48+
  Mozilla Firefox	47+
  Microsoft Edge (Chromium)	79+
  Safari	12+
  Opera	36+

• Test Custom Integrations: If you are using custom integrations, test them to confirm they support strong TLS ciphers.

How to test browser compatibility?

Step 1: Test for weak cipher

1. Open your browser and visit SSL Labs Client Test.

2. Under Protocol Features, in the Cipher Suites (in order of preferences) section, check which ciphers are supported.

Step 2: Understand your test results

When you run the SSL Labs Client Test, you might see different results depending on your browser’s supported ciphers.

Here’s what they mean:

• Both strong and weak ciphers supported:

  • Your browser automatically uses strong ciphers for secure connections.

  • No action is required; you will not experience any disruption once a weak cipher is disabled.
    

• Only weak ciphers supported (tagged as WEAK):

  • Your browser relies solely on outdated encryption methods.

  • Once weak ciphers are disabled, your browser fails to connect to Whatfix, causing disruption.
    

Step 3: Update or upgrade your browser

If your browser supports only weak ciphers, upgrade to a recommended version to ensure seamless access to Whatfix.