Note: This is an important security update that may affect users' or integrations' ability to access Box.
Box regularly upgrades its infrastructure to meet the highest standards, and in October 2023 we did so by retiring some legacy SSL ciphers that are considered less secure. Compatible SSL ciphers are necessary for any browser or application to establish a secure connection to Box.
Box now only supports TLS1.3 SSL ciphers and the following 4 TLS1.2 SSL ciphers:
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (ECDHE-RSA-CHACHA20-POLY1305)
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ECDHE-RSA-AES128-GCM-SHA256)
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ECDHE-RSA-AES256-GCM-SHA384)
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (ECDHE-RSA-AES128-SHA)
If users access Box from recent versions of operating systems, Web browsers or Box apps and if your custom-built applications leverage recent versions of Box SDKs you are good to go. If not, please check app/sdk/OS documentation for compatibility.
For example:
- Windows 10 (20H2) and higher) - link: Microsoft documentation
- Windows Server 2016 (1607) and higher - link: Microsoft documentation
- macOS Big Sur (OSX 11) and higher - Link: Box Documentation
- Box Java SDK v4 and higher - Link: Box Documentation
- Box Python SDK v3 and higher - Link: Box Documentation
Also, as a developer you can validate that your application is able to connect to Box APIs with the above-mentioned ciphers by using our test endpoint. In your application, on any call, replace api.box.com with api-test.box.com and if your application connects, you are good to go!