What do you need to know?

Whispir is constantly working to ensure that our platform is secure so that we can provide the best possible service to our customers. Therefore, we are making significant changes to the TLS (SSL) protocol versions supported by Whispir for our REST APIs.

What are we doing?

As part of this upgrade, we will be undertaking the following actions.

  • We are migrating our regional REST API endpoints to new AWS services, which will impact the IP address ranges and TLS certificates we use.

  • We will complete a temporary cutover to these new systems before the permanent cutover. This temporary cutover allows us to identify customers who are unexpectedly impacted and limit any impacts to a short period. Additionally, this will give time to affected customers to implement necessary changes before the permanent cutover.

  • We are decommissioning our three deprecated legacy API endpoints (refer to the table below).

Changes: Regional API endpoints

Changes: Legacy API endpoints

Phase 1A

Temporary 6-hour cutover to new IP address ranges and TLS certificates.

AU/IT/EDU/NZ regions

Start: 11th July 2022 22:00 UTC

End: 12th July 2022 04:00 UTC

AP/AP1 regions

Start: 12th July 2022 00:00 UTC

End: 12th July 2022 06:00 UTC

US region

Start: 11th July 2022 20:00 UTC

End: 12th July 2022 02:00 UTC

No outages of our services are expected during this maintenance period if you have successfully implemented the changes described below.

None

Phase 1B

Permanently cutover to new IP address ranges and TLS certificates

AP & US regions

Start: 31 July 2022, 21:30 UTC

End: 31 July 2022, 22:30 UTC

AP1 region
Start: 1 August 2022, 21:30 UTC

End: 1 August 2022, 22:30 UTC

IT & NZ regions

Start: 7 August 2022, 20:00 UTC

End: 7 August 2022, 21:00 UTC

AU & EDU regions

Start: 8 August 2022, 21:30 UTC

End: 8 August 2022, 22:30 UTC

No outages of our services are expected during this maintenance period if you have successfully implemented the changes described below.

No change to the minimum TLS version enforcement.

None

Phase 2

All regions

Start: 11th October 2022 22:00 UTC

End: 12th October 2022 04:00 UTC

Enforcement of TLS 1.2 minimum version for all API access.

Customers using TLS v1.0 or v1.1 will be unable to access the API endpoints.

All 3 legacy API endpoints decommissioned and no longer accessible.

Regional API endpoints

  • api.au.whispir.com

  • api.nz.whispir.com

  • api.ap.whispir.com

  • api.ap1.whispir.com

  • api.us.whispir.com

  • api.it.whispir.com

  • api.education.whispir.com

Legacy API endpoints

  • api.whispir.com

  • api-sni.whispir.com

  • apius.whispir.com

There are no functional differences between the regional and legacy API endpoints. Therefore, any API calls made using legacy API endpoints can be made using regional API endpoints. However, we recommend you immediately make these changes so any upcoming activities do not impact you.

Why are we doing this?

To avoid a potential disruption to your REST API connections, please take the following steps to ensure your API connections are not affected by our upcoming changes.

What measures do I need to take?

To avoid a potential disruption to your REST API connections, please take the following steps to ensure your API connections are not affected by our upcoming changes.

  1. Ensure you are connecting to the Whispir API through the correct regional endpoint
    Using the table of endpoints above, confirm that you are connecting to the appropriate regional API endpoint(s). If you are connecting to any of the legacy API endpoints, you will need to migrate onto the appropriate regional API endpoint. Please refer to the full developer documentation here.

    Note that regional API endpoints require API keys to be passed as HTTP headers. Passing API keys using HTTP query string parameters is not supported.

  2. If applicable, confirm your IP allow-list (whitelist) is correct
    If you have implemented an IP-based allow-list (formerly known as whitelisting), you need to ensure that you have updated your IP allow-list to the new required IP ranges and have a process in place to handle future updates. Please refer to the full developer documentation here

    • Whispir strongly discourages customers from using IP-based allow-listing unless there is a mandatory compliance requirement to do so.

    • No action is required if you have implemented domain-based allow-listing.

  3. If applicable, disable any TLS certificate allow-listing (whitelisting)
    If you have implemented an TLS certificate allow-list (formerly known as whitelisting) that only allows connections to specific certificates, you need to disable this. Whispir regularly rotates TLS certificates as per best security practices and cannot notify customers in advance of certificate rotation.

    • No action is required if you have not implemented a TLS certificate allow-list.

  4. Test connectivity with our test API endpoints
    We have created temporary API endpoints for customers to test their system connectivity. These endpoints have a minimum enforced TLS version of 1.2 and use our updated IP ranges.

    • Please note that these temporary endpoints connect to our production API services.

All customers using API functionality must confirm that their applications and integrations can successfully connect to the appropriate API endpoint.

To test your connectivity, please follow the documentation here for the “List workspaces” API call and replace the hostname with the appropriate test endpoint from the table above.

If your connection is successful, you will receive a response with a list of workspaces connected to your account.

Scope of Work

In light of feedback from our customers, we wanted to clarify our previous communications about the upcoming TLS (SSL) v1.2 upgrade for API users. If you have any doubts, please do not hesitate to contact our customer support team or your account manager.

Which systems are impacted / in scope?

Whispir REST API (Regional)

  • TLS & network changes only.

Whispir REST API (Legacy)

  • Decommissioned at Phase 2 date.

Which systems are NOT impacted / NOT in scope?

FAQs:

  • My systems are unable to connect to the test endpoint

    • Customers will need to determine whether this is a network/firewall issue, a TLS/SSL issue or an authentication issue. This can be accomplished by reviewing the appropriate logs or using a packet capture tool such as Wireshark.

  • My systems are unable to connect to the test endpoint due to TLS/SSL errors, such as “Hostname/IP does not match certificate's altnames”

    • Please ensure that your systems support all of the following TLS requirements:

      • TLS SNI (Server Name Indication) support

      • TLS version 1.2 or above

      • At least one TLS cipher from the TLSv1.2_2018 column in the table here.

  • My systems cannot connect to the test endpoint due to networking issues

    • If you have implemented IP-based allow-listing, please ensure that you have followed the requirements here.

    • Whispir strongly discourages customers from implementing IP based allow-listing unless there is a mandatory compliance requirement to do so.

  • My systems cannot connect to the test endpoint due to API key issues

    • If you were previously using a legacy API endpoint and supplying your API key using a HTTP GET parameter, this will not work with the regional API endpoints. Please ensure you are following the authentication requirements in our developer documentation here.

  • I am not sure if I am using the legacy API or not

    • If you are connecting to one of the following domains api.whispir.com, apius.whispir.com or api-sni.whispir.com, you are using a deprecated legacy API endpoint. If you are not sure which address you are connecting to, don't hesitate to get in touch with either Whispir Customer Support or your Customer Service Manager, and we can confirm this for you.

  • What happens if we do not make the changes in time? i.e. how will we be affected

    • You will no longer be able to access the Whispir platform through our REST API endpoints. This is a platform-wide change to improve our reliability and protect our valued customers from security vulnerabilities, and there is no workaround.

  • Does the Phase 1 A or B changes affect a legacy API-based customer?

    • No, only the Phase 2 change affects legacy API configured customers. Details of the changes can be found above.

  • Do we need to change our TLS trust settings?

    • No, the new TLS certificates will use the same issuing CA (Amazon Root) and intermediate certificates.

  • When connecting to a regional API endpoint we receive a HTTP 403 error. Requests were previously working correctly.

    • Please ensure that you are sending the correct values for these HTTP headers: Host and Content-Length. please refer to our developer documentation here for more information.

Did this answer your question?