TLS Cipher Suite Hardening for Anypoint MQ Endpoints (April

TLS Cipher Suite Hardening for Anypoint MQ Endpoints (April–May 2026)

Publish Date: May 12, 2026

Description

As part of ongoing Salesforce security hardening efforts, Anypoint MQ endpoints were updated to comply with current Salesforce security standards and modern TLS best practices.

This hardening includes:
Supporting only AEAD cipher suites such as:
GCM

As a result, legacy cipher suites are no longer accepted, including:

CBC-SHA ciphers
Static-RSA cipher suites

These legacy ciphers had already been deprecated in underlying TLS libraries and are now fully disabled on Anypoint MQ endpoints.

Impact:

External applications using older TLS configurations or legacy cipher suites may fail to establish SSL/TLS connections to Anypoint MQ endpoints.

Typical symptoms include:
- SSL handshake failures
- Inability to publish or consume MQ messages

Resolution

Customers should update their applications or TLS libraries to use modern supported cipher suites.

Recommended cipher suites include:

AES GCM-SHA384
AES GMC-SHA256
CHACHA20 POLY1305-SHA256

Additional Resources

This change affects TLS negotiation behavior only.
No application-level API changes were introduced.

Knowledge Article Number

005321986

Did this article solve your issue?

Let us know so we can improve!

TLS Cipher Suite Hardening for Anypoint MQ Endpoints (April–May 2026)

General Information

Required Cookies

Functional Cookies

Advertising Cookies

General Information

Required Cookies

Functional Cookies

Advertising Cookies

Cookie List