Updating TLS Ciphers for Secure SSL Handshake
Details of ciphers we'll be deprecating in July 2023.
Introduction
In our effort to continue to protect your data and maintain Coupa’s security standards, we periodically update our encryption posture, including the cryptographic ciphers our systems support.
Upcoming changes
Support for the following out-of-date ciphers will be removed from our systems.
| Cipher Suite | OpenSSL CipherSuite Name |
|---|---|
| TLS_RSA_WITH_AES_256_GCM_SHA384 | AES256-GCM-SHA384 |
| TLS_RSA_WITH_AES_256_CBC_SHA256 | AES256-SHA256 |
| TLS_RSA_WITH_AES_256_CBC_SHA | AES256-SHA |
| TLS_RSA_WITH_AES_128_GCM_SHA256 | AES128-GCM-SHA256 |
| TLS_RSA_WITH_AES_128_CBC_SHA256 | AES128-SHA256 |
| TLS_RSA_WITH_AES_128_CBC_SHA | AES128-SHA |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | ECDHE-RSA-AES256-SHA384 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDHE-RSA-AES256-SHA |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | ECDHE-RSA-AES128-SHA256 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | ECDHE-RSA-AES128-SHA |
When will the change occur?
- Sandbox - 17-July-2023
- Production - 31-July-2023
Supported ciphers
Coupa currently supports these ciphers, and these will be the only supported ciphers after the above ciphers are deprecated.
| Cipher Suite | OpenSSL CipherSuite Name |
|---|---|
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | ECDHE-RSA-AES256-GCM-SHA384 |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | ECDHE-RSA-AES128-GCM-SHA256 |
What is the impact on my organization?
For most users, these changes will have no effect on your ability to use Coupa. All up-to-date browsers support these secure ciphers. This change only cleans up older ciphers. No action is required if you connect to Coupa via up-to-date browsers.
You'll need to ensure the following so that your systems are ready to support the ciphers:
- All browsers currently supported by Coupa are up-to-date. Communicate with your system administrator to ensure that they are aware of the change, so they can update any services you use to connect to Coupa.
- All integrations that access Coupa must use supported ciphers once the change is made. Take the opportunity prior to the migration to validate your active integration in the Coupa sandbox environment for your relevant integrations:
- API Integrations: Applications accessing Coupa through the REST API will have to ensure that supported TLS ciphers are enabled to be used for API communication with Coupa. Coupa Admins need to validate any integrations accessing the Coupa REST API in their sandbox environment, prior to the time of migration.
- Supplier Integrations: cXML PunchOut / Purchase Order/ Invoice Integrations being received from suppliers and other external vendors must be sent using supported TLS ciphers.
- Coupa Flat File (SFTP) Integrations: No changes are required for applications that currently send or retrieve data from the Coupa SFTP sites. SFTP communication does not rely upon TLS.
We’re committed to assisting you with this upgrade and our system maintenance is an important part of that commitment. Coupa will be providing you with a maintenance notification with the exact window of time when this change will occur.
Thank you for partnering with us to protect our Business Spend Management platform.