Strengthen Security: Move away from RSA Key Exchanges for TLS connections

To ensure a smooth transition, verify that your software environment (other than Salesforce configurations) supports AES with:

• 128-bit or 256-bit keys

• ECDHE key exchange

• Galois counter mode (GCM) block cipher mode, if using TLS 1.2

It’s also recommended to enable TLS 1.3 for upcoming changes: 

• Enable TLS 1.3 within your software environment for compatibility without RSA key exchanges. TLS 1.3 doesn’t have cipher suites using RSA key exchanges. These adjustments maintain compatibility with services from Salesforce and prevent network disruptions.
• Verify your Salesforce organization’s login history for TLS Cipher Suite entries containing "ECDHE" under "TLSv1.2". After RSA keys are disabled in your software environment, the Salesforce login history shouldn’t show cipher suites like AES256-SHA256 or AES256-SHA. All logins with the TLSv1.3 protocol implicitly use ECDHE. Refer to this image for guidance. 

• Salesforce currently uses TLS 1.3 for incoming connections to Hyperforce and Salesforce Edge Network, but not yet for first-party infrastructure. TLS 1.2 can still be used where TLS 1.3 isn’t available, as long as compliant cipher suites are enabled. 
• In TLS 1.3, other secure block cipher modes can be allowed, such as CCM or the one in TLS_CHACHA20_POLY1305_SHA256.

IMPORTANT:  Turning off RSA key exchanges can disrupt TLS connections behind such logins.

NOTE: If you’re a GovCloud customer, there’s no change required from your end. For details, see the Supported Cipher and TLS versions for Government Cloud article.