Short answer: No. ZappySys SSIS PowerPack does not hard-code or enforce any old or insecure cipher suites. All TLS versions and cipher suites are negotiated using Windows and .NET system defaults.
This article explains why , how TLS works with ZappySys components, and answers common security-related questions customers ask when hardening gateways or disabling legacy cipher suites.
Primary Question & Answer
Do ZappySys SSIS PowerPack components use old or insecure cipher suites?
No. ZappySys SSIS PowerPack does not bundle, ship, or force specific cipher suites .
All SSL/TLS behavior, including protocol version (TLS 1.2 / TLS 1.3) and cipher suite selection, is handled entirely by:
- Windows (Schannel)
- Microsoft .NET Framework
- OS-level security policies and group policies
ZappySys components simply follow the system’s security configuration. If your environment is configured to allow only modern TLS versions and secure cipher suites, ZappySys will automatically comply.
How TLS Works with ZappySys SSIS PowerPack
ZappySys REST-based components, such as:
- JSON Source, XML Source, CSV Source, Web API Destination
- REST API Task
- API Source & API Destination
are built on Microsoft .NET .
This means:
- TLS negotiation is performed by Windows Schannel
- Cipher suites are selected based on OS and .NET configuration
- No custom or legacy encryption logic is implemented in the product
ZappySys components do not explicitly force :
- TLS 1.0 or TLS 1.1
- Deprecated cipher suites such as RC4 or 3DES
If both the SSIS server and the target API support TLS 1.2 or TLS 1.3, those protocols will be used automatically.
Frequently Asked Questions
Will disabling old cipher suites on our gateway impact SSIS packages?
In most environments, no impact is expected .
Disabling legacy cipher suites may cause issues only if:
- The target API endpoint supports only old TLS versions
- The SSIS execution machine is running an outdated Windows version
- The .NET Framework version is old or not configured for strong cryptography
When modern TLS is enabled on both sides, gateway hardening is safe.
Does ZappySys force a specific TLS version?
No. By default, ZappySys components use System Default TLS settings .
This allows them to automatically follow:
- OS security updates
- Group policy changes
- Enterprise security hardening rules
No product-level changes are required when upgrading TLS policies.
What versions of TLS are supported?
ZappySys supports all TLS versions supported by the underlying Windows and .NET environment.
In modern environments, this typically includes:
- TLS 1.2
- TLS 1.3 (where supported by OS and .NET)
Older TLS versions may be used only if explicitly enabled at the OS level.
When can TLS handshake failures occur?
TLS-related failures may occur if:
- The API endpoint supports only deprecated TLS or weak ciphers
- TLS 1.2 is disabled on the SSIS server
- Strong cryptography is not enabled in .NET
These failures typically occur during the TLS handshake phase, before any data is exchanged.
What configuration is recommended to avoid issues?
To align with modern security standards, verify the following on the SSIS execution machine:
Operating System
- Windows Server 2016 or later
.NET Framework
- Version 4.6.2 or higher
- Version 4.8 recommended
TLS Settings
- TLS 1.2 enabled at OS (Schannel) level
Strong Cryptography
SchUseStrongCrypto = 1
With these settings, disabling insecure cipher suites will not affect ZappySys workloads.
How can we verify which TLS version and cipher suite are being used?
You can verify runtime TLS behavior using:
- Fiddler (HTTPS inspection)
- Wireshark (TLS handshake analysis)
- Windows Schannel event logging
These tools clearly show the negotiated TLS version and cipher suite used during API calls.
Has this been validated in real customer environments?
Yes. In a recent customer support case, a customer planned to disable old cipher suites at their gateway and wanted to confirm there would be no impact on SSIS packages using the ZappySys JSON Source REST API component .
Because the environment was already using system-default TLS with modern protocols, the customer was able to proceed with gateway hardening without any issues.
Summary
- ZappySys SSIS PowerPack does not use or enforce old cipher suites
- TLS and cipher selection are controlled by Windows and .NET
- Gateway security hardening is safe in modern environments
- Always validate OS, .NET, and TLS configuration on the SSIS server
For additional questions related to encryption, TLS, or security behavior, visit the ZappySys Community or contact support@zappysys.com.