Your data. Anywhere you go.

New Relic for iOS or Android


Download on the App Store    Android App on Google play


New Relic Insights App for iOS


Download on the App Store


Learn more

Close icon

Deprecation of 3DES Cipher Support on August 27th

security

#1

… after a test of the deprecation on August 20th.

What is 3DES?

Triple DES (3DES) is a formerly popular encryption cipher that is no longer considered secure, and is considered by NIST to have only 80 bits of effective security when encrypting more than 8 MB of data. As 112 bits of security is now considered a bare-minimum, NIST and compliance frameworks such as the Payment Card Industry Data Security Standard (PCI DSS) consider the continued use of 3DES unacceptable.

Does New Relic use 3DES?

Currently, all New Relic systems prefer to use the industry-standard AES-GCM cipher if supported by the client, but fall back to AES-CBC if necessary. Two systems—collector.newrelic.com and api.newrelic.com— continue to fall back to 3DES if that is the only cipher supported by the client.

What is changing?

From 22:00 UTC on August 20th, 2019 to 22:00 UTC on August 21st, 2019, we will test a change where those two systems—collector.newrelic.com and api.newrelic.com—will no longer fall back to use the 3DES cipher. All connections to these systems during that time using the 3DES cipher will fail. One week later, at 22:00 UTC on August 27th, we will implement this change permanently.

Qualys SSL Labs shows our current configuration for these domains here. After July 27th, our configuration for these domains should instead look like this.

How do I tell if I’m affected?

Only about 0.0025% (or about one in forty thousand) of all TLS connections to these systems are made using the 3DES cipher. The replacement for 3DES, the Advanced Encryption Standard (AES), was introduced in 2001, meaning that any clients still using 3DES are likely to be quite old. We believe some of the most common affected client systems are Windows Server 2003 (pre-SP2) and Windows XP. Client systems using OpenSSL prior to version 0.9.7—first released in 2002—may also be affected.

In addition, any client system that fails to connect to collector.newrelic.com or api.newrelic.com during the test window from August 20th-21st may be affected.

Any affected systems should be updated to a more recent operating system and/or cryptographic library in order to continue connecting to New Relic. We believe that the security of customer data is important, and we can best serve our customers by encouraging the use of modern encryption.

Please let us know if you have questions or concerns about this change!