Discussions
Become a Partner
Start typing to search…

Discussions

Ask a Question
Back to All

What are the Ciphers needed for TLS 1.2

almost 2 years ago by Tom R

We try to connect to Personio API from Windows Server 2012 R2. Now getting the error: Es konnte kein geschützter SSL/TLS-Kanal erstellt werden

This could be caused by non-matching ciphers. What Ciphers does Personio API require for TLS 1.2?

https://developer.personio.de/reference/auth-1

almost 2 years ago by Amrit VanchinathanAdmin

Hello Tom,

Thank you for reaching out to us. We are in contact with our Security team and will keep you posted as soon as we hear back from them.

Thanks,

Amrit

almost 2 years ago by Tom

@Amrit, thanks, when can we expect an answer?

almost 2 years ago by Amrit VanchinathanAdmin

Hello Tom,

Apologies for the delayed reply on account of Easter break! I received the following response from our security team:

"What ciphers we offer is by necessity public.
It works like this: When a client (like a browser) wants to connect to a server, the server responds with a list of supported ciphers.
The easiest way to check those is with tools like this: https://www.ssllabs.com/ssltest/index.html

In their request, they mentioned that they are using Windows Server 2012 R2.
Old Windows Server versions don’t get all the latest patches, so they often don’t support modern TLS standards.
Unfortunately, we can’t lower those, because that would affect the security of all of our customers.
Those standards exist for a good reason.

A workaround I’ve seen used in the past is to not use the tools that were build into old Windows Server versions:

Instead of Internet Explorer, use a current version of Firefox or Google Chrome
Instead of Powershell Invoke-WebRequest, use a current version of cURL
etc.
I hope this helps."

If you have any further specific questions/clarifications on this piece feel free to shoot them over and I will try and get them answered.

Thank you for using Personio APIs.

Amrit

almost 2 years ago by Tom

Hi Amrit,

That means that Windows Server 2012 R2 is not supported to connect to your API. Checking SSLLabs for api.personio.de reveals the following 2 cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

None of these are available on Windows Server 2012 R2. They come first in Windows Server 2016. See here: https://learn.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-10-v1607

Could you confirm this with your team so we can have an official confirmation?

Thank you!

almost 2 years ago by Amrit VanchinathanAdmin

Hey Tom,

I can confirm that these cipher suites are the ones that are used and please do note that these are subject to change in the future.

Thank you,

Amrit

almost 2 years ago by Amrit VanchinathanAdmin

Hey Tom,

If it is alright with you, we will go ahead and mark this thread as Answered. Feel free to open a new thread if you have any further clarifications/questions about the Personio Public API.

Thank you for using Personio APIs.

Amrit

Marked as answered by Amrit Vanchinathan