TLS Version

• The server receiving webhooks from our system must support TLS 1.2 or above.
• TLS 1.0 and 1.1 are not accepted due to known vulnerabilities.

Cipher Suites

The server must support at least one of the following cipher suites:

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_RSA_WITH_3DES_EDE_CBC_SHA

Additional Security Measures

1. Certificate Validation: The server's SSL certificate must be valid and trusted.
2. Server Name Indication (SNI): The server should support SNI for proper certificate selection.
3. Perfect Forward Secrecy: The chosen cipher suite should support PFS to ensure past communications remain secure even if the private key is compromised.

Implementation Guidelines

1. Configure your web server (e.g., Nginx, Apache) to only allow TLS 1.2 and above.
2. Update your server's cipher suite configuration to include the required ciphers.
3. Regularly update your SSL/TLS libraries to ensure support for the latest security standards.
4. Implement proper error handling for failed connections due to unsupported TLS versions or cipher suites.

Testing and Verification

1. Use online SSL/TLS testing tools (e.g. SSL Labs) to verify your server configuration.
2. Periodically audit your server's TLS settings to ensure continued compliance with these requirements.

By adhering to these requirements, you ensure that the webhook communication between our system and your server maintains a high level of security and data integrity.