Permanent removal of weak ciphers

Scheduled Maintenance Report for GOV.UK Pay

Completed

This scheduled change is now complete and we have no reported impact. Please refer to earlier information which outlined the weak ciphers we have removed support for, and a list of the ciphers we continue to support. Thank you for your understanding.

Posted Dec 01, 2025 - 10:26 GMT

In progress

Our scheduled change to permanently remove support for weak ciphers is now in progress. This should be completed by 11am and we will provide updates as necessary. We do not expect this change to have any impact on our services and their paying users. If you have any questions please contact govuk-pay-support@digital.cabinet-office.gov.uk.

Posted Dec 01, 2025 - 10:17 GMT

Update

We will be undergoing scheduled maintenance during this time.

Posted Oct 01, 2025 - 14:22 BST

Update

We have made a change to the schedule of the removal of these ciphers. The work will now happen at 10AM on 1 December 2025.

Posted Sep 23, 2025 - 15:17 BST

Scheduled

To maintain a highly secure and stable platform we will be removing support for 2 outdated ciphers at 10am on 1 December 2025. This is an extension from when the work was previously scheduled to happen on 30 September 2025.

We will be removing support for these TLS 1.2 ciphers on 1 December 2025:

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ECDHE-RSA-AES128-SHA256)

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ECDHE-RSA-AES256-SHA384)

To help services affected by this we have already added an ECDSA certificate which will also enable support for these TLS 1.2 ciphers:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ECDHE-ECDSA-AES128-GCM-SHA256)

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ECDHE-ECDSA-AES256-GCM-SHA384)

This change introduced two further new weak TLS 1.2 ciphers that we will also remove on 1 December 2025:

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ECDHE-ECDSA-AES128-SHA256)

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ECDHE-ECDSA-AES256-SHA384)

A list of the changes:

TLS 1.2 ciphers that we support before 1 December 2025:

* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (ECDHE-RSA-AES128-SHA256)
* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ECDHE-RSA-AES128-GCM-SHA256)
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (ECDHE-RSA-AES256-SHA384)
* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ECDHE-RSA-AES256-GCM-SHA384)
* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ECDHE-ECDSA-AES128-GCM-SHA256)
* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ECDHE-ECDSA-AES256-GCM-SHA384)
* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (ECDHE-ECDSA-AES128-SHA256)
* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (ECDHE-ECDSA-AES256-SHA384)

TLS 1.2 ciphers that we support after 1 December 2025:

* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (ECDHE-RSA-AES128-GCM-SHA256)
* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (ECDHE-RSA-AES256-GCM-SHA384)
* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (ECDHE-ECDSA-AES128-GCM-SHA256)
* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (ECDHE-ECDSA-AES256-GCM-SHA384)

We have directly contacted services affected by this change, and are encouraging the use of TLS 1.3 where possible.

This will be a permanent change and we will not be able to provide extensions to use these ciphers after November 2025.

If you have any questions about this change please email us at govuk-pay-support@digital.cabinet-office.gov.uk

Posted Jul 01, 2025 - 15:10 BST

This scheduled maintenance affected: Public API.