Greenhouse Software will deactivate support for two TLS cipher suites on February 27, 2023, across all public-facing applications including Greenhouse Recruiting, Greenhouse Onboarding, Business Intelligence Connector, job boards, and Harvest API. We're providing you notice now so that customers and partners can prepare.
The following cipher suites will be deactivated:
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
These ciphers have already been deactivated on Greenhouse Recruiting as of December 14, 2022. If you're using unsupported clients to connect to Greenhouse Software after the deprecation of these cipher suites, you'll receive errors.
Impacted applications
The following apps will be impacted by the deactivation of the cipher suites:
| Application | URL |
| Greenhouse Recruiting | https://app.greenhouse.io https://app2.greenhouse.io https://<sso-custom-domain>.greenhouse.io |
| Greenhouse Onboarding | https://onboarding.greenhouse.io |
| Greenhouse job boards | https://boards.greenhouse.io |
| Harvest API | https://harvest.greenhouse.io |
| Greenhouse Recruiting mobile app | https://api.greenhouse.io |
| Greenhouse Events mobile app | https://api.greenhouse.io |
| Business Intelligence Connector | jdbc:redshift://redshift.greenhouse.io |
Reason for deactivation
We're deactivating these cipher suites to ensure we're providing you with safe and secure connections. The security industry considers ciphers that support CBC mode encryption to be weak due to past exploits and bugs against specific implementations. During our TLS 1.2+ migration in August 2019, Greenhouse Software kept support for these CBC cipher suites to provide backward compatibility to legacy clients.
Am I affected by this change?
We've performed an initial analysis and determined that the deprecation of these cipher suites should only affect < 0.1% of our total traffic. There are two categories of people that could be affected by the deprecation of the cipher suites:
People using legacy browsers or mobile devices
People using unsupported browsers to access Greenhouse Recruiting and Greenhouse Onboarding, or job applicants using unsupported browsers to access job boards hosted by Greenhouse Software may be affected. Check out the browsers that Greenhouse Software supports.
The following browsers are not affected by this change as they support TLS 1.2 and can negotiate to a supported cipher suite:
| Browser | Browser version | Notes |
| Chrome | 30+ | Released August 19, 2013 |
| Safari | 9+ | Released September 30, 2015 |
| Firefox | 27+ | Released February 3, 2014 |
| Safari on iOS | 9+ | Released September 15, 2015 |
| Chrome on Android | 74 | – |
| Firefox on Android | 67 | – |
| Internet Explorer | 11 on Windows 10+ |
Released July 29, 2015 |
| Microsoft Edge | 12+ | Supported in all versions |
People using HTTP clients to connect to Harvest or Job Board API
People who have written their own API clients and are using clients that don't support TLS v1.2 and above will no longer be able to successfully connect to Harvest or Job Board API.
You must ensure you're using an HTTP client library that supports TLS 1.2 and above before the deprecation date on February 27, 2023.
Client support for the most popular TLS clients can be found in the table below:
| Java | 8+ |
| OpenSSL | 1.0.1+ |
You can use this API to easily test the library you're using to ensure it supports TLS v1.2 and can negotiate a supported cipher suite. The HTTP response will contain a tls_version value with the highest version of TLS and a list of cipher suites that are supported by the client.
Greenhouse Software supports the following cipher suites:
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256