TLS cipher deprecation: 2023 – February 27

Greenhouse Software will deactivate support for two TLS cipher suites on February 27, 2023, across all public-facing applications including Greenhouse Recruiting, Greenhouse Onboarding, Business Intelligence Connector, job boards, and Harvest API. We're providing you notice now so that customers and partners can prepare.

The following cipher suites will be deactivated:

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

These ciphers have already been deactivated on Greenhouse Recruiting as of December 14, 2022. If you're using unsupported clients to connect to Greenhouse Software after the deprecation of these cipher suites, you'll receive errors.

Impacted applications

The following apps will be impacted by the deactivation of the cipher suites:

Application URL
Greenhouse Recruiting https://app.greenhouse.io
https://app2.greenhouse.io
https://<sso-custom-domain>.greenhouse.io
Greenhouse Onboarding https://onboarding.greenhouse.io
Greenhouse job boards https://boards.greenhouse.io
Harvest API https://harvest.greenhouse.io
Greenhouse Recruiting mobile app https://api.greenhouse.io
Greenhouse Events mobile app https://api.greenhouse.io
Business Intelligence Connector jdbc:redshift://redshift.greenhouse.io

Reason for deactivation

We're deactivating these cipher suites to ensure we're providing you with safe and secure connections. The security industry considers ciphers that support CBC mode encryption to be weak due to past exploits and bugs against specific implementations. During our TLS 1.2+ migration in August 2019, Greenhouse Software kept support for these CBC cipher suites to provide backward compatibility to legacy clients.

Am I affected by this change?

We've performed an initial analysis and determined that the deprecation of these cipher suites should only affect < 0.1% of our total traffic. There are two categories of people that could be affected by the deprecation of the cipher suites:

People using legacy browsers or mobile devices

People using unsupported browsers to access Greenhouse Recruiting and Greenhouse Onboarding, or job applicants using unsupported browsers to access job boards hosted by Greenhouse Software may be affected. Check out the browsers that Greenhouse Software supports.

The following browsers are not affected by this change as they support TLS 1.2 and can negotiate to a supported cipher suite:

Browser Browser version Notes
Chrome 30+ Released August 19, 2013
Safari 9+ Released September 30, 2015
Firefox 27+ Released February 3, 2014
Safari on iOS 9+ Released September 15, 2015
Chrome on Android 74
Firefox on Android 67
Internet Explorer 11 on Windows
10+
Released July 29, 2015
Microsoft Edge 12+ Supported in all versions

People using HTTP clients to connect to Harvest or Job Board API

People who have written their own API clients and are using clients that don't support TLS v1.2 and above will no longer be able to successfully connect to Harvest or Job Board API.

You must ensure you're using an HTTP client library that supports TLS 1.2 and above before the deprecation date on February 27, 2023.

Client support for the most popular TLS clients can be found in the table below:

Java 8+
OpenSSL 1.0.1+

You can use this API to easily test the library you're using to ensure it supports TLS v1.2 and can negotiate a supported cipher suite. The HTTP response will contain a tls_version value with the highest version of TLS and a list of cipher suites that are supported by the client.

Greenhouse Software supports the following cipher suites:

  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256