Api.pipedrive.com issue with weak key strength

Fabian95qw · January 12, 2021, 7:27am

I wrote a Module for a PBX which synchronizes the customers Contacts from Pipedrive with the PBX, so they can be used for resolving Calls.

Our PBX is running on a tomcat/catalina Platform with Java.
With the latest Beta-Release they pulled the Java-Version up to 1.8.0_265.
With java 8 Oracle added some weak Encryption Methods to the Constraint list.
By default, anything Related to Encryption needs to use at least a Key-Size of 1024.

The Certificate api.pipedrive.com now causes an error, because it uses a EC Curve P256.
java.security.cert.CertPathValidatorException: Algorithm constraints check failed on key EC with size of 256bits

I can manually allow weaker encryption algorithms, if i have SSH root access to the pbx. But in the case of the cloud based version of the PBX this is simply not possible.

This basically means, some of our customer might be unable to use the Module any further, and the module is expected to break every time the pbx gets updated…
This means we’ll have to stop the support for pipedrive alltogether…

Is there any plan, to increase the security of the Certificate used on api.pipedrive.com anytimesoon?

Sincerely Fabian Zünd

David · January 13, 2021, 9:52am

Hey Fabian,

I talked it over with our Infrastructure team and there’s not currently a plan in place to change this. Unfortunately the certificate is supplied by a 3rd party service that we use so we need to go through them first.

Fabian95qw · January 13, 2021, 12:31pm

Hello David

Thanks for the feedback!
You can close this thread for now.

David · January 13, 2021, 12:52pm

David · January 19, 2021, 7:53am

David · January 19, 2021, 7:55am

Hey again @Fabian95qw,

This or more official (and hopefully helpful) answer that I got from the Infrastructure team:

Pipedrive uses Cloudflare issued cert packs.
With Cloudflare issued cert packs, we get both RSA and ECC certificates, which can’t be changed. ECC certs provide good performance and security benefits.
Both RSA 2048 bit and EC 256 bit are available to requesting clients, and which one is chosen is dependent on what the client supports (though, the most secure option will always be chosen).
This is visible here: SSL Server Test: api.pipedrive.com (Powered by Qualys SSL Labs)
There is more information on this here: https://sectigo.com/resource-library/rsa-vs-dsa-vs-ecc-encryption
The checking system needs to be able to understand the difference between RSA and ECC certificates and choose the one it can use.