Loading

Strengthen Security: Transition Away from RSA Key Exchanges for Salesforce TLS Connections

Veröffentlichungsdatum: Jun 16, 2026
Beschreibung

This article explains how to strengthen the security of TLS (Transport Layer Security) connections to Salesforce by transitioning away from static RSA (Rivest–Shamir–Adleman) key exchanges toward ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) key exchanges and TLS 1.3.
Key terms:

  • TLS (Transport Layer Security): The protocol used to encrypt data between your systems and Salesforce.
  • RSA (Rivest–Shamir–Adleman): A legacy key exchange method that does not support Perfect Forward Secrecy and is being phased out.
  • ECDHE (Elliptic Curve Diffie-Hellman Ephemeral): The modern key exchange method that supports PFS (Perfect Forward Secrecy), meaning each session uses a unique encryption key that cannot be derived from future or past sessions.
  • PFS (Perfect Forward Secrecy): A property ensuring that even if a long-term key is compromised, past session keys cannot be recovered. See NIST definition of  Perfect Forward Secrecy.
  • AES (Advanced Encryption Standard): The recommended symmetric encryption algorithm, used with 128-bit or 256-bit keys.
  • GCM (Galois/Counter Mode): A block cipher mode used with AES in TLS 1.2.

Salesforce strongly recommends transitioning to TLS 1.3 and modern encryption methods. TLS 1.2 continues to be supported as long as it uses PFS-compliant cipher suites. RSA key exchanges will still work for incoming TLS connections but are risky and can affect the security and efficiency of network communications.

Lösung
  • Prerequisites: Verify Software Environment Compatibility

    Before making changes, verify that your software environment (outside of Salesforce configurations) supports AES with:
    • 128-bit or 256-bit keys
    • ECDHE key exchange
    • GCM (Galois/Counter Mode) block cipher, if using TLS 1.2

    Step 1: Enable TLS 1.3 in Your Environment

    Enable TLS 1.3 in your software environment. TLS 1.3 does not support cipher suites using RSA key exchanges — enabling it ensures compatibility with Salesforce without relying on legacy RSA. TLS 1.3 also supports additional secure block cipher modes such as CCM (Counter with CBC-MAC) and TLS_CHACHA20_POLY1305_SHA256.
    If TLS 1.3 is not yet available in your environment, TLS 1.2 can still be used as long as compliant, ECDHE-based cipher suites are enabled.

    Step 2: Verify Salesforce Login History for Cipher Suite Entries

    After disabling RSA key exchanges in your environment, validate the change in Salesforce Setup by reviewing Login History.
    In Salesforce Setup, navigate to Login History. In the TLS Cipher Suite column:
    • Look for entries showing "ECDHE" under "TLSv1.2", such as ECDHE-RSA-AES256-GCM-SHA384. These are expected and correct.
    • After disabling RSA key exchanges, cipher suites such as AES256-SHA256 or AES256-SHA (which use static RSA and do not include ECDHE) should no longer appear in the login history.
    • TLS 1.3 logins show cipher suites such as TLS_AES_256_GCM_SHA384 and implicitly use ECDHE — no additional action is needed for TLS 1.3 logins.

    Step 3: Current Salesforce TLS 1.3 Deployment Status

    Salesforce currently uses TLS 1.3 for incoming connections to Hyperforce and the Salesforce Edge Network, but not yet for all first-party infrastructure. TLS 1.2 with compliant cipher suites can still be used where TLS 1.3 is not yet available.

    Important: Impact of Turning Off RSA Key Exchanges

    Turning off RSA key exchanges can disrupt TLS connections if any systems in your environment rely solely on RSA-based cipher suites. Before disabling RSA key exchanges, validate that all integration endpoints, API clients, and SSO configurations support ECDHE-based cipher suites or TLS 1.3.

IMPORTANT:  Turning off RSA key exchanges can disrupt TLS connections behind such logins.

NOTE: If you’re a GovCloud customer, there’s no change required from your end. For details, see the Supported Cipher and TLS versions for Government Cloud article. 

 

Nummer des Knowledge-Artikels

002472175

 
Laden
Salesforce Help | Article