This article explains how to strengthen the security of TLS (Transport Layer Security) connections to Salesforce by transitioning away from static RSA (Rivest–Shamir–Adleman) key exchanges toward ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) key exchanges and TLS 1.3.
Key terms:
Salesforce strongly recommends transitioning to TLS 1.3 and modern encryption methods. TLS 1.2 continues to be supported as long as it uses PFS-compliant cipher suites. RSA key exchanges will still work for incoming TLS connections but are risky and can affect the security and efficiency of network communications.
ECDHE-RSA-AES256-GCM-SHA384. These are expected and correct.AES256-SHA256 or AES256-SHA (which use static RSA and do not include ECDHE) should no longer appear in the login history.TLS_AES_256_GCM_SHA384 and implicitly use ECDHE — no additional action is needed for TLS 1.3 logins.IMPORTANT: Turning off RSA key exchanges can disrupt TLS connections behind such logins.
NOTE: If you’re a GovCloud customer, there’s no change required from your end. For details, see the Supported Cipher and TLS versions for Government Cloud article.
002472175

We use three kinds of cookies on our websites: required, functional, and advertising. You can choose whether functional and advertising cookies apply. Click on the different cookie categories to find out more about each category and to change the default settings.
Privacy Statement
Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, authentication cookies, and security cookies.
Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual.
Advertising cookies track activity across websites in order to understand a viewer’s interests, and direct them specific marketing. Some examples include: cookies used for remarketing, or interest-based advertising.