Limited cipher support as of release 10.10
Incident Report for Cumulocity IoT
Resolved
The apj.cumulocity.com environment now has a rollback in place regarding removal of support for weak ciphers.
The same fix will be applied to *.cumulocity.com by the end of the week.
Posted Oct 20, 2021 - 13:23 CEST
Update
We are continuing to work on a fix for this issue.
Posted Oct 04, 2021 - 09:11 CEST
Identified
With the 10.10 release, the cipher suite was updated and weak cyphers were excluded to make the platform more secure.
This was announced latest in the 10.9 release notes, but because a lot of active devices are still using old ciphers, we are looking for a possible solution supporting older ciphers.

There are two separated paths here based on protocol:

* HTTP - it is already possible to configure ciphers per instance, for now on all environments (emea, eu-latest, apj and us) we decided to use configuration from version 10.9, exception is our cloud instance where TLSv1 was disabled. The main point here is that we are quite flexible in this field and we can change those configuration with low effort.

* MQTT - with version 10.10 platform was moved to containerised core environment, where mqtts traffic is terminated, which makes the ciphers configuration a little bit more complex. We are investigating possible solutions here.

Also note that MQTT devices with old version of the paho library will not be able to connect using TLS v1.3
Posted Oct 01, 2021 - 20:25 CEST
This incident affected: eu-latest.cumulocity.com (eu-latest.cumulocity.com MQTT Services), us.cumulocity.com (us.cumulocity.com MQTT Services), and emea.cumulocity.com (emea.cumulocity.com MQTT API).