TLS Version

The server receiving webhooks from our system must support TLS 1.2 or above.
TLS 1.0 and 1.1 are not accepted due to known vulnerabilities.

Cipher Suites

The server must support at least one of the following cipher suites:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

Additional Security Measures

Certificate Validation: The server's SSL certificate must be valid and trusted.
Server Name Indication (SNI): The server should support SNI for proper certificate selection.
Perfect Forward Secrecy: The chosen cipher suite should support PFS to ensure past communications remain secure even if the private key is compromised.

Implementation Guidelines

Configure your web server (e.g., Nginx, Apache) to only allow TLS 1.2 and above.
Update your server's cipher suite configuration to include the required ciphers.
Regularly update your SSL/TLS libraries to ensure support for the latest security standards.
Implement proper error handling for failed connections due to unsupported TLS versions or cipher suites.

Testing and Verification

Use online SSL/TLS testing tools (e.g. SSL Labs) to verify your server configuration.
Periodically audit your server's TLS settings to ensure continued compliance with these requirements.

By adhering to these requirements, you ensure that the webhook communication between our system and your server maintains a high level of security and data integrity.