COS Cipher Page Requires Update to Include Only Supported Ciphers #201
Description
COS document page on IBM Cloud does not list supported ciphers and requires updating. Please review and update as necessary.
Cypher tuning
IBM COS supports a variety of Cipher settings to encrypt data in transit. Not all cipher settings yield the same level performance and using TLS in general leads to small performance degradation. The following cipher settings are recommended (in descending order of priority):
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
=============
The following announcement was posted and implemented
Source ID: 1755788880689
Type: Announcement
Component: Cloud Object Storage
Regions: global
Start Time: 28 Jul 2025, 4:00 PM UTC
Update Time: 21 Aug 2025, 3:08 PM UTC
Update: The following regions have been completed. The changes will continue for the next several weeks.
Single sites: ams03, mil01, sjc04, sng01
MZRs: au-syd, eu-es, jp-osa
Cross region: ap-cr, eu-cr
To maintain the highest standards of security for our cloud storage service, we will be updating our encryption protocols by removing support for certain ciphers. Starting on 28 July 2025 the IBM Cloud Object Storage team will be removing multiple weak ciphers in all regions.
What to Expect
This update impacts the following TLS ciphers:
AES256-SHA
AES128-SHA
AES256-GCM-SHA384
AES128-GCM-SHA256
AES256-SHA256
AES128-SHA256
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES128-SHA256
Removing these ciphers aligns with industry best practices and reduces vulnerability to certain security threats, such as padding oracle attacks. After the maintenance window, connections to our S3 service must be established using modern ciphers that support Galois/Counter Mode (GCM).
Actions Required
To avoid any disruption in service, verify your applications, scripts, or clients do not rely on the ciphers being removed. Update any affected configurations to use TLS-compatible GCM encryption ciphers before 28 July 2025. If no action is taken, clients relying on the removed ciphers may experience connection issues following the update.
To enable clients to verify that their applications will not be impacted after support of these ciphers is removed, IBM has temporarily stood up a test endpoint that only supports GCM ciphers. The test endpoint is "s3.us-east.cloud-object-storage.test.appdomain.cloud".
Assistance and Additional Information
The following ciphers will continue to be available with IBM Cloud Object Storage:
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256