API: Upcoming upgrade to SHA256 SSL certificate

Note: This announcement should not have any effect on end users. Many technical users, developers, and consumers of our API will not need to make any changes, but testing is advised to ensure compatibility with your systems accessing our API.

In approximately one month on Tuesday, September 15, 2015, Pushover will be upgrading its SSL certificate for api.pushover.net to be signed with SHA256. Our current certificate is signed with SHA1, which has already been deprecated by most browser vendors.

Last year we upgraded to a SHA256-signed SSL certificate for https://pushover.net and https://client.pushover.net. Since web browsers like Firefox, Chrome, and Safari are updated on a weekly or monthly basis with new security features, our users did not encounter any compatibility issues with these new certificates while browsing our website or accessing our Desktop client.

However, since some of our users are accessing our messaging API from older systems that are not updated as frequently, some encountered compatibility issues when we also updated the SSL certificate on https://api.pushover.net at that time. In response to those problems, we rolled back the certificate upgrade for just api.pushover.net.

As SHA1 certificates are now widely considered to be in need of replacement and are displaying with broken lock icons in some browsers, we are moving ahead with our SHA256 certificate upgrade.

To test your systems against our new certificate before we make the switch on Tuesday, September 15, 2015, you can temporarily use an API endpoint of:

https://api-newssl.pushover.net/1/messages.json

instead of:

https://api.pushover.net/1/messages.json

If you are able to send messages through api-newssl, then your systems are up to date and will not experience problems when we switch over. You can continue using api.pushover.net and when we upgrade next month, you will not need to do anything further.

If your systems are not able to negotiate an SSL connection to api-newssl.pushover.net, then you will need to upgrade your SSL library or operating system before Tuesday, September 15, 2015 or you will not be able to send Pushover messages after that date. You may need to contact your vendor to inquire about updates needed to access SHA256 SSL certificates in your software.

Note: api-newssl.pushover.net is only temporary and should not be used in production. Afer September 15, 2015, api-newssl.pushover.net will no longer exist.