Updated SSL Certs for Mandrill

Update December 17, 2014, 4:55pm EST: As with most changes in Mandrill, we rolled this one out using a progressive migration from our smallest region to our largest region while monitoring server loads, error rates, and user feedback through support channels. While our initial estimation that a fraction of users would be impacted was correct, the severity of that impact in some cases was more greater than anticipated.

The initial changes we made included updates to both our root certificate and intermediate certificate chain, so that everything used SHA-2. This resulted in errors, particularly for users in shared hosting environments where SHA-2 is supported, but the root cert bundles couldn't be updated in a timely fashion. We've partially rolled back this change to a configuration with a SHA-1 root, and SHA-2 intermediate certificates, which should address the majority of issues users were reporting. We'll continue to monitor the status of this, and provide further updates if necessary.

Next Wednesday, December 17, 2014, we’re making some updates to Mandrill’s SSL certificates to ensure they’re no longer using SHA-1 hashing algorithms for signing. The change is anticipated to impact a very small number of users — those using an older server, and more specifically, an older SSL client library.

Most SSL certificates are signed using an older, relatively weak, hashing algorithm, SHA-1. Because of mounting security concerns, Google, Microsoft, and Mozilla all announced this year the deprecation of support for SHA-1 signed certificates. Mandrill will be replacing all of our SHA-1 signed certificates with certificates using SHA-2 hashing.

Impacted Services

A small number of SMTP and API integrations may be impacted by the SSL certificate changes. Modern browsers already support the newer hashing algorithm used to sign SSL certs, so if you're using an updated browser, there's nothing else you'll need to do. If you maintain the server or application that's using Mandrill's API or SMTP integration, you'll want to be sure your SSL library handles SHA-2. For example, if you're using Python, support will depend on which OpenSSL version you're using.