Overview

Transport Layer Security (TLS) is a critical security protocol used to protect web traffic. It provides confidentiality and integrity of data in transit between clients and servers exchanging information. During the establishment of a TLS session, both parties agree on a cipher suite which dictates the cryptographic algorithms used to secure the communication.

As part of its ongoing commitment to the security and protection of its customer’s data, Datadog is rolling out a more modern cryptographic engine across its systems which imposes some changes to the configurations it can accept.

Beginning April 1st, 2024, Datadog is disabling support for the following cipher suites across its public-facing applications. If you use unsupported clients to connect to Datadog after the older protocols are disabled, you will receive connection error messages.

Disabled Cipher Suites

CodeIANA Name
0xC0,0x27TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
0xC0,0x23TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
0xC0,0x28TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
0xC0,0x24TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
0x00,0x3CTLS_RSA_WITH_AES_128_CBC_SHA256
0x00,0x3DTLS_RSA_WITH_AES_256_CBC_SHA256

After this date, the following cipher suites will be accepted:

Accepted Cipher Suites

CodeIANA Name
0xC0,0x2BTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
0xC0,0x2FTLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
0xC0,0x2CTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
0xC0,0x30TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
0xCC,0xA9TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
0xCC,0xA8TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
0xC0,0x09TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
0xC0,0x13TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
0xC0,0x0ATLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
0xC0,0x14TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
0x00,0x9CTLS_RSA_WITH_AES_128_GCM_SHA256
0x00,0x9DTLS_RSA_WITH_AES_256_GCM_SHA384
0x00,0x2FTLS_RSA_WITH_AES_128_CBC_SHA
0x00,0x35TLS_RSA_WITH_AES_256_CBC_SHA
0x13,0x01TLS_AES_128_GCM_SHA256
0x13,0x02TLS_AES_256_GCM_SHA384
0x13,0x03TLS_CHACHA20_POLY1305_SHA256

This change does not impact Datadog for Government site for which the accepted cipher suites remain the following:

Accepted Cipher Suites (Datadog for Government)

CodeIANA Name
0xC0,0x2FTLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
0xC0,0x30TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
0xC0,0x2BTLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
0xC0,0x2CTLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Client Compatibility

Datadog’s systems already require the use of TLS 1.2 and compatible clients will be able to negotiate other cipher suites. However, specific client-side configurations may alter this behavior. Use the client of your choice to connect to tls-config-test.datadoghq.com which is configured with the target ciphers, or use How’s my SSL? API to check the cipher suites it supports. For any additional questions, reach out to Datadog support.