Genesys Cloud - Main

Hello all

Is there an estimate of when it will be done?

Thanks

Regards

We are monitoring cipher usage and want to get to a place where we have reduced or eliminated the dependency on these two ciphers before we remove them.  Currently they are used by too many calls and the usage patterns look like removing them would cause significant impact.  Our hope is that BYOC Cloud users will review their TLS profile configurations and remove these ciphers in advance so that they remove themselves from the usage report.  Once we get to a point where we feel the deprecation is not a significant risk we will schedule the final removal of the ciphers from our endpoints.

Hello all

Is there an estimate of when it will be done?

Thanks

Regards

Good Afternoon,

We recently removed the set of cipher suites as from our Ribbon 2k SBC, after which call failures began to occur. We're now wondering if the issue might be due to there being no compatible cipher suites left between the Ribbon 2k SBC and Genesys.

We have since reverted the changes and raised a support ticket with Ribbon. In the meantime, do you have any relevant case studies or prior experience with similar issues?

While we're not certain if the certificate itself needs reviewing, my understanding is that TLS certificates typically do not enforce or dictate cipher suite selection, so they're unlikely to be the root cause.

I'd appreciate any insights or guidance you can share

We are monitoring cipher usage and want to get to a place where we have reduced or eliminated the dependency on these two ciphers before we remove them.  Currently they are used by too many calls and the usage patterns look like removing them would cause significant impact.  Our hope is that BYOC Cloud users will review their TLS profile configurations and remove these ciphers in advance so that they remove themselves from the usage report.  Once we get to a point where we feel the deprecation is not a significant risk we will schedule the final removal of the ciphers from our endpoints.

Hello all

Is there an estimate of when it will be done?

Thanks

Regards

@Rashid Adat I have not personally heard any concerns from other Ribbon users.  I did look at this page, https://publicdoc.rbbn.com/spaces/UXDOC122/pages/451249486/Creating+and+Modifying+TLS+Profiles, which lists the following supported ciphers on Ribbon 12.2.x, of those, two are supported by both Ribbon and Genesys BYOC Cloud.  However, since they both are elliptical curve Diffie-Hellman ephemeral (ECDHE) ciphers, there also must be a elliptical curve is common.  Genesys BYOC Cloud only supports secp384r1, so to use those ciphers with your SBC, Ribbon must also support that elliptical curve.  I have been trying to dig into Ribbon documents to find their elliptical curve related configuration, however right now it seems there public documents are not available on their website.

• TLS_CHACHA20_POLY1305_SHA256    
• TLS_AES_256_GCM_SHA384 (TLSv1.3, not supported for TLSv1.2)
• TLS_AES_128_GCM_SHA256 (TLSv1.3, not supported for TLSv1.2)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 *BYOC supported
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * BYOC supported
• TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (being deprecated by BYOC Cloud)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA256 (being deprecated by BYOC Cloud)
• TLS_RSA_WITH_AES_128_CBC_SHA256

Further, you are correct that this is most likely not related to the certificate.  The certificate does provide the public key to the remote peer, and the selected cipher is dependent on the key, as long as there is a corresponding key for the selected algorithm (typically either RSA or DSA, and RSA in all of these cases) all of these ciphers will work with the same certificate.  

Good Afternoon,

We recently removed the set of cipher suites as from our Ribbon 2k SBC, after which call failures began to occur. We're now wondering if the issue might be due to there being no compatible cipher suites left between the Ribbon 2k SBC and Genesys.

We have since reverted the changes and raised a support ticket with Ribbon. In the meantime, do you have any relevant case studies or prior experience with similar issues?

While we're not certain if the certificate itself needs reviewing, my understanding is that TLS certificates typically do not enforce or dictate cipher suite selection, so they're unlikely to be the root cause.

I'd appreciate any insights or guidance you can share

We are monitoring cipher usage and want to get to a place where we have reduced or eliminated the dependency on these two ciphers before we remove them.  Currently they are used by too many calls and the usage patterns look like removing them would cause significant impact.  Our hope is that BYOC Cloud users will review their TLS profile configurations and remove these ciphers in advance so that they remove themselves from the usage report.  Once we get to a point where we feel the deprecation is not a significant risk we will schedule the final removal of the ciphers from our endpoints.

Hello all

Is there an estimate of when it will be done?

Thanks

Regards

Hi @Phil Whitener we have logged some tickets with Ribbon and Genesys in regards to this issue with our SBC 1000 & 2000 devices but currently have no workarounds.  We are currently running firmware version 12.2.0 and have tested 12.3.0 with the same issue below.

TLS_RSA_WITH_AES_256_CBC_SHA256 is currently the only Cipher supported by both SBC 1000/2000 and PureCloud BYOC but as per the notification this will be deprecated.

In regards to the following ciphers Ribbon SBC 1000/2000 only support the secp256r1 curve whereas Purecloud BYOD only supports the secp384r1 curve making any of the ECDHE ciphers incompatable.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Ribbon support have provided me with some prerelease firmware for our SBC 1000 and I have confirmed it as working with Purecloud BYOD (supports negotiation of the following curves x448, x25519, secp256r1, secp521r1 and secp384r1)

Ribbon inform me that software release 12.4.0 will include the new feature and is expected to be avaliable for general avaliability at the end of October.  Once avaliable we will need some time to test the firmware and schedule an upgrade to our production environment.  Would it be possible to postphone the deprication of TLS_RSA_WITH_AES_256_CBC_SHA256 until the end of November?

Thanks,

@Rashid Adat I have not personally heard any concerns from other Ribbon users.  I did look at this page, https://publicdoc.rbbn.com/spaces/UXDOC122/pages/451249486/Creating+and+Modifying+TLS+Profiles, which lists the following supported ciphers on Ribbon 12.2.x, of those, two are supported by both Ribbon and Genesys BYOC Cloud.  However, since they both are elliptical curve Diffie-Hellman ephemeral (ECDHE) ciphers, there also must be a elliptical curve is common.  Genesys BYOC Cloud only supports secp384r1, so to use those ciphers with your SBC, Ribbon must also support that elliptical curve.  I have been trying to dig into Ribbon documents to find their elliptical curve related configuration, however right now it seems there public documents are not available on their website.

• TLS_CHACHA20_POLY1305_SHA256    
• TLS_AES_256_GCM_SHA384 (TLSv1.3, not supported for TLSv1.2)
• TLS_AES_128_GCM_SHA256 (TLSv1.3, not supported for TLSv1.2)
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 *BYOC supported
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * BYOC supported
• TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (being deprecated by BYOC Cloud)
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_256_CBC_SHA256 (being deprecated by BYOC Cloud)
• TLS_RSA_WITH_AES_128_CBC_SHA256

Further, you are correct that this is most likely not related to the certificate.  The certificate does provide the public key to the remote peer, and the selected cipher is dependent on the key, as long as there is a corresponding key for the selected algorithm (typically either RSA or DSA, and RSA in all of these cases) all of these ciphers will work with the same certificate.  

Good Afternoon,

We recently removed the set of cipher suites as from our Ribbon 2k SBC, after which call failures began to occur. We're now wondering if the issue might be due to there being no compatible cipher suites left between the Ribbon 2k SBC and Genesys.

We have since reverted the changes and raised a support ticket with Ribbon. In the meantime, do you have any relevant case studies or prior experience with similar issues?

While we're not certain if the certificate itself needs reviewing, my understanding is that TLS certificates typically do not enforce or dictate cipher suite selection, so they're unlikely to be the root cause.

I'd appreciate any insights or guidance you can share

We are monitoring cipher usage and want to get to a place where we have reduced or eliminated the dependency on these two ciphers before we remove them.  Currently they are used by too many calls and the usage patterns look like removing them would cause significant impact.  Our hope is that BYOC Cloud users will review their TLS profile configurations and remove these ciphers in advance so that they remove themselves from the usage report.  Once we get to a point where we feel the deprecation is not a significant risk we will schedule the final removal of the ciphers from our endpoints.

Hello all

Is there an estimate of when it will be done?

Thanks

Regards

Good Afternoon,

We recently removed the set of cipher suites as from our Ribbon 2k SBC, after which call failures began to occur. We're now wondering if the issue might be due to there being no compatible cipher suites left between the Ribbon 2k SBC and Genesys.

We have since reverted the changes and raised a support ticket with Ribbon. In the meantime, do you have any relevant case studies or prior experience with similar issues?

While we're not certain if the certificate itself needs reviewing, my understanding is that TLS certificates typically do not enforce or dictate cipher suite selection, so they're unlikely to be the root cause.

I'd appreciate any insights or guidance you can share

We are monitoring cipher usage and want to get to a place where we have reduced or eliminated the dependency on these two ciphers before we remove them.  Currently they are used by too many calls and the usage patterns look like removing them would cause significant impact.  Our hope is that BYOC Cloud users will review their TLS profile configurations and remove these ciphers in advance so that they remove themselves from the usage report.  Once we get to a point where we feel the deprecation is not a significant risk we will schedule the final removal of the ciphers from our endpoints.

Hello all

Is there an estimate of when it will be done?

Thanks

Regards

@Rashid Adat It appears prior to SBC Core 09.02.05R008 the Ribbon SBC might not accept P-384 / secp384r1 as an elliptical curve.  See "SBX-118425 | SBX-118930" fixes listed in https://publicdoc.rbbn.com/spaces/SBXDOC92/pages/394218084/SBC+Core+09.02.05R008+Release+Notes

Good Afternoon,

We recently removed the set of cipher suites as from our Ribbon 2k SBC, after which call failures began to occur. We're now wondering if the issue might be due to there being no compatible cipher suites left between the Ribbon 2k SBC and Genesys.

We have since reverted the changes and raised a support ticket with Ribbon. In the meantime, do you have any relevant case studies or prior experience with similar issues?

While we're not certain if the certificate itself needs reviewing, my understanding is that TLS certificates typically do not enforce or dictate cipher suite selection, so they're unlikely to be the root cause.

I'd appreciate any insights or guidance you can share

We are monitoring cipher usage and want to get to a place where we have reduced or eliminated the dependency on these two ciphers before we remove them.  Currently they are used by too many calls and the usage patterns look like removing them would cause significant impact.  Our hope is that BYOC Cloud users will review their TLS profile configurations and remove these ciphers in advance so that they remove themselves from the usage report.  Once we get to a point where we feel the deprecation is not a significant risk we will schedule the final removal of the ciphers from our endpoints.

Hello all

Is there an estimate of when it will be done?

Thanks

Regards

Hi Phil,

Thank you for looking into this and providing the information. On the surface, it appears that the Ribbon SBC may not support the P-384 / secp384r1 elliptical curve. The two units we're testing are running software version 12.0.1, and we're currently awaiting further feedback from the vendor.

I'll keep you posted on any updates. In the meantime, I welcome any additional feedback you may have.

@Rashid Adat It appears prior to SBC Core 09.02.05R008 the Ribbon SBC might not accept P-384 / secp384r1 as an elliptical curve.  See "SBX-118425 | SBX-118930" fixes listed in https://publicdoc.rbbn.com/spaces/SBXDOC92/pages/394218084/SBC+Core+09.02.05R008+Release+Notes

Good Afternoon,

We recently removed the set of cipher suites as from our Ribbon 2k SBC, after which call failures began to occur. We're now wondering if the issue might be due to there being no compatible cipher suites left between the Ribbon 2k SBC and Genesys.

We have since reverted the changes and raised a support ticket with Ribbon. In the meantime, do you have any relevant case studies or prior experience with similar issues?

While we're not certain if the certificate itself needs reviewing, my understanding is that TLS certificates typically do not enforce or dictate cipher suite selection, so they're unlikely to be the root cause.

I'd appreciate any insights or guidance you can share

We are monitoring cipher usage and want to get to a place where we have reduced or eliminated the dependency on these two ciphers before we remove them.  Currently they are used by too many calls and the usage patterns look like removing them would cause significant impact.  Our hope is that BYOC Cloud users will review their TLS profile configurations and remove these ciphers in advance so that they remove themselves from the usage report.  Once we get to a point where we feel the deprecation is not a significant risk we will schedule the final removal of the ciphers from our endpoints.

Hello all

Is there an estimate of when it will be done?

Thanks

Regards

Hi Phill, 

Thanks for the excellent explanation.

I have a question, We are trying to configure a trunk_transport_tls_ciphers but when we put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", we receive the following error: "Validation error on field 'trunk_transport_tls_ciphers'" and as I understood this is one of the supported ciphers. any idea?
Thanks in advance
Pablo

Hello @Pablo Barnech

What is "trunk_transport_tls_ciphers"?  That looks like a Custom trunk property name for configuring Genesys Cloud external trunks; however, tgere is no Genesys Cloud configuration needed for this deprecation.   Can you help me understand what you are trying to configure?  The change to select particular ciphers should only be needed on your voice device (SBC, PBX, managed trunk, etc)

Hi Phill, 

Thanks for the excellent explanation.

I have a question, We are trying to configure a trunk_transport_tls_ciphers but when we put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", we receive the following error: "Validation error on field 'trunk_transport_tls_ciphers'" and as I understood this is one of the supported ciphers. any idea?
Thanks in advance
Pablo

Hi Phil, 

thanks for your answer. You are totally right, it's a custom trunk property because the customer wants to configure only the ciphers supported by the Cisco CUBE (they don't want to let Genesys to send all its supported ciphers) which is connected to Genesys Cloud  and we could configure the other ciphers without any problem, but this in particular ("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256") gave us an error. So maybe you know if there is any problem with the ciphers itself or maybe there is something wrong with the custom property implementation.
I hope I have been more clear
Again, thanks in advance
Regards
Pablo

Hello @Pablo Barnech

What is "trunk_transport_tls_ciphers"?  That looks like a Custom trunk property name for configuring Genesys Cloud external trunks; however, tgere is no Genesys Cloud configuration needed for this deprecation.   Can you help me understand what you are trying to configure?  The change to select particular ciphers should only be needed on your voice device (SBC, PBX, managed trunk, etc)

Hi Phill, 

Thanks for the excellent explanation.

I have a question, We are trying to configure a trunk_transport_tls_ciphers but when we put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", we receive the following error: "Validation error on field 'trunk_transport_tls_ciphers'" and as I understood this is one of the supported ciphers. any idea?
Thanks in advance
Pablo

Is this for BYOC Cloud or BYOC Premise?  For BYOC Cloud there is no option to choose the ciphers that are offered by tge GenesysCloud endpoint.  This page details what is offered https://help.mypurecloud.com/articles/tls-trunk-transport-protocol-specification/  Each connection can be controlled by the remote endpoint.  Configuring your available ciphers and preference on the remote endpoint (customer device) will control which cipher is selected during the TLS handshake. 

Hi Phil, 

thanks for your answer. You are totally right, it's a custom trunk property because the customer wants to configure only the ciphers supported by the Cisco CUBE (they don't want to let Genesys to send all its supported ciphers) which is connected to Genesys Cloud  and we could configure the other ciphers without any problem, but this in particular ("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256") gave us an error. So maybe you know if there is any problem with the ciphers itself or maybe there is something wrong with the custom property implementation.
I hope I have been more clear
Again, thanks in advance
Regards
Pablo

Hello @Pablo Barnech

What is "trunk_transport_tls_ciphers"?  That looks like a Custom trunk property name for configuring Genesys Cloud external trunks; however, tgere is no Genesys Cloud configuration needed for this deprecation.   Can you help me understand what you are trying to configure?  The change to select particular ciphers should only be needed on your voice device (SBC, PBX, managed trunk, etc)

Hi Phill, 

Thanks for the excellent explanation.

I have a question, We are trying to configure a trunk_transport_tls_ciphers but when we put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", we receive the following error: "Validation error on field 'trunk_transport_tls_ciphers'" and as I understood this is one of the supported ciphers. any idea?
Thanks in advance
Pablo

yes, it's BYOC Cloud. 

Ok, thanks for your explanation but, so, what is the purpouse of that custom property? I don't understand, if there is no option to choose the ciphers offered by Genesys, why we can configure that custom property? and why the platform checks the value? because as I said before if I put, for example "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" I can save the configuration without any problem, but if I put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" I receive an error.
But, don't worry and thanks for your answer and explanation. 

Regards

Pablo

Is this for BYOC Cloud or BYOC Premise?  For BYOC Cloud there is no option to choose the ciphers that are offered by tge GenesysCloud endpoint.  This page details what is offered https://help.mypurecloud.com/articles/tls-trunk-transport-protocol-specification/  Each connection can be controlled by the remote endpoint.  Configuring your available ciphers and preference on the remote endpoint (customer device) will control which cipher is selected during the TLS handshake. 

Hi Phil, 

thanks for your answer. You are totally right, it's a custom trunk property because the customer wants to configure only the ciphers supported by the Cisco CUBE (they don't want to let Genesys to send all its supported ciphers) which is connected to Genesys Cloud  and we could configure the other ciphers without any problem, but this in particular ("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256") gave us an error. So maybe you know if there is any problem with the ciphers itself or maybe there is something wrong with the custom property implementation.
I hope I have been more clear
Again, thanks in advance
Regards
Pablo

Hello @Pablo Barnech

What is "trunk_transport_tls_ciphers"?  That looks like a Custom trunk property name for configuring Genesys Cloud external trunks; however, tgere is no Genesys Cloud configuration needed for this deprecation.   Can you help me understand what you are trying to configure?  The change to select particular ciphers should only be needed on your voice device (SBC, PBX, managed trunk, etc)

Hi Phill, 

Thanks for the excellent explanation.

I have a question, We are trying to configure a trunk_transport_tls_ciphers but when we put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", we receive the following error: "Validation error on field 'trunk_transport_tls_ciphers'" and as I understood this is one of the supported ciphers. any idea?
Thanks in advance
Pablo

I assume that is a BYOC Premise property and we hide the UI configuration because it is not valid for BYOC Cloud but we don't prohibit setting the value based on the trunk type.  But it is not valid for BYOC Cloud and presumably ignored.  If it is rejecting that value it might not be an available cipher for BYOC Premise.  I will review with the team responsible and confirm.  

------------------------------
Phil Whitener
Genesys - Employees
------------------------------


Original Message:
Sent: 09-02-2025 22:57
From: Pablo Barnech
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

yes, it's BYOC Cloud. 

Ok, thanks for your explanation but, so, what is the purpouse of that custom property? I don't understand, if there is no option to choose the ciphers offered by Genesys, why we can configure that custom property? and why the platform checks the value? because as I said before if I put, for example "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" I can save the configuration without any problem, but if I put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" I receive an error.
But, don't worry and thanks for your answer and explanation. 

Regards

Pablo

------------------------------
Pablo Barnech


Original Message:
Sent: 09-02-2025 22:34
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Is this for BYOC Cloud or BYOC Premise?  For BYOC Cloud there is no option to choose the ciphers that are offered by tge GenesysCloud endpoint.  This page details what is offered https://help.mypurecloud.com/articles/tls-trunk-transport-protocol-specification/  Each connection can be controlled by the remote endpoint.  Configuring your available ciphers and preference on the remote endpoint (customer device) will control which cipher is selected during the TLS handshake. 

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-02-2025 22:25
From: Pablo Barnech
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hi Phil, 

thanks for your answer. You are totally right, it's a custom trunk property because the customer wants to configure only the ciphers supported by the Cisco CUBE (they don't want to let Genesys to send all its supported ciphers) which is connected to Genesys Cloud  and we could configure the other ciphers without any problem, but this in particular ("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256") gave us an error. So maybe you know if there is any problem with the ciphers itself or maybe there is something wrong with the custom property implementation.
I hope I have been more clear
Again, thanks in advance
Regards
Pablo

------------------------------
Pablo Barnech


Original Message:
Sent: 09-02-2025 22:14
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hello @Pablo Barnech

What is "trunk_transport_tls_ciphers"?  That looks like a Custom trunk property name for configuring Genesys Cloud external trunks; however, tgere is no Genesys Cloud configuration needed for this deprecation.   Can you help me understand what you are trying to configure?  The change to select particular ciphers should only be needed on your voice device (SBC, PBX, managed trunk, etc)

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-02-2025 21:30
From: Pablo Barnech
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hi Phill, 

Thanks for the excellent explanation.

I have a question, We are trying to configure a trunk_transport_tls_ciphers but when we put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", we receive the following error: "Validation error on field 'trunk_transport_tls_ciphers'" and as I understood this is one of the supported ciphers. any idea?
Thanks in advance
Pablo

------------------------------
Pablo Barnech

Hi Phil

I have a similar situation with a particular ORG in Genesys Cloud for one of my customers. 

We got two Generic BYOC PBX trunks between Ribbon SBCs and Genesys Cloud platform and very worried about the impact on customers daily activities this deprecation will have.

According Ribbon, they recommend using ECDHE ciphers with compatible Key Share between Genesys and SBCs (secp384r1 if I understood correctly). Based on this, I found that the only compatible cipher suite between SBCs and Genesys meeting this requirement will be TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

When I try to set this cipher suite in the Genesys trunk config screen, I get a "Validation error" and cannot save the config. Same situation as @Pablo Barnech explained earlier in this topic. So can you please help clarify how we can set up this suite then??

------------------------------
LAURA MARIA LAFUENTE VALLE
NA
------------------------------


Original Message:
Sent: 09-02-2025 23:03
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

I assume that is a BYOC Premise property and we hide the UI configuration because it is not valid for BYOC Cloud but we don't prohibit setting the value based on the trunk type.  But it is not valid for BYOC Cloud and presumably ignored.  If it is rejecting that value it might not be an available cipher for BYOC Premise.  I will review with the team responsible and confirm.  

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-02-2025 22:57
From: Pablo Barnech
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

yes, it's BYOC Cloud. 

Ok, thanks for your explanation but, so, what is the purpouse of that custom property? I don't understand, if there is no option to choose the ciphers offered by Genesys, why we can configure that custom property? and why the platform checks the value? because as I said before if I put, for example "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" I can save the configuration without any problem, but if I put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" I receive an error.
But, don't worry and thanks for your answer and explanation. 

Regards

Pablo

------------------------------
Pablo Barnech


Original Message:
Sent: 09-02-2025 22:34
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Is this for BYOC Cloud or BYOC Premise?  For BYOC Cloud there is no option to choose the ciphers that are offered by tge GenesysCloud endpoint.  This page details what is offered https://help.mypurecloud.com/articles/tls-trunk-transport-protocol-specification/  Each connection can be controlled by the remote endpoint.  Configuring your available ciphers and preference on the remote endpoint (customer device) will control which cipher is selected during the TLS handshake. 

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-02-2025 22:25
From: Pablo Barnech
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hi Phil, 

thanks for your answer. You are totally right, it's a custom trunk property because the customer wants to configure only the ciphers supported by the Cisco CUBE (they don't want to let Genesys to send all its supported ciphers) which is connected to Genesys Cloud  and we could configure the other ciphers without any problem, but this in particular ("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256") gave us an error. So maybe you know if there is any problem with the ciphers itself or maybe there is something wrong with the custom property implementation.
I hope I have been more clear
Again, thanks in advance
Regards
Pablo

------------------------------
Pablo Barnech


Original Message:
Sent: 09-02-2025 22:14
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hello @Pablo Barnech

What is "trunk_transport_tls_ciphers"?  That looks like a Custom trunk property name for configuring Genesys Cloud external trunks; however, tgere is no Genesys Cloud configuration needed for this deprecation.   Can you help me understand what you are trying to configure?  The change to select particular ciphers should only be needed on your voice device (SBC, PBX, managed trunk, etc)

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-02-2025 21:30
From: Pablo Barnech
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hi Phill, 

Thanks for the excellent explanation.

I have a question, We are trying to configure a trunk_transport_tls_ciphers but when we put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", we receive the following error: "Validation error on field 'trunk_transport_tls_ciphers'" and as I understood this is one of the supported ciphers. any idea?
Thanks in advance
Pablo

------------------------------
Pablo Barnech

@LAURA MARIA LAFUENTE VALLE we are monitoring the cipher usage and are aware of the Ribbon compatibility issues.  We will not eliminate the ciphers that are in use prior to a solution that allows for a transition for these trunks.  Although Genesys and Ribbon have a common TLS cipher, currently Genesys only supports the elliptical curve you mentioned, secp384r1, while Ribbon only supports the elliptical curve secp256r1.  This creates an incompatibility with that cipher, and is why we see those trunks using one of the ciphers we plan to deprecate.  Please note that BYOC Cloud trunks do not have any TLS cipher configuration and why the original post states: "Nothing needs to be changed in your Genesys Cloud configuration - the use of these ciphers is determined by your remote SIP endpoint; most likely a Session Border Controller (SBC), SIP Trunk, or carrier configuration, or carrier device."  That is likely why you are seeing a validation error.  We will retain these ciphers in regions where we know they are being used to ensure these trunks continue to work until we can find a solution that allows for the deprecation.

------------------------------
Phil Whitener
Genesys - Employees
------------------------------


Original Message:
Sent: 09-09-2025 07:28
From: LAURA MARIA LAFUENTE VALLE
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hi Phil

I have a similar situation with a particular ORG in Genesys Cloud for one of my customers. 

We got two Generic BYOC PBX trunks between Ribbon SBCs and Genesys Cloud platform and very worried about the impact on customers daily activities this deprecation will have.

According Ribbon, they recommend using ECDHE ciphers with compatible Key Share between Genesys and SBCs (secp384r1 if I understood correctly). Based on this, I found that the only compatible cipher suite between SBCs and Genesys meeting this requirement will be TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

When I try to set this cipher suite in the Genesys trunk config screen, I get a "Validation error" and cannot save the config. Same situation as @Pablo Barnech explained earlier in this topic. So can you please help clarify how we can set up this suite then??

------------------------------
LAURA MARIA LAFUENTE VALLE
NA


Original Message:
Sent: 09-02-2025 23:03
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

I assume that is a BYOC Premise property and we hide the UI configuration because it is not valid for BYOC Cloud but we don't prohibit setting the value based on the trunk type.  But it is not valid for BYOC Cloud and presumably ignored.  If it is rejecting that value it might not be an available cipher for BYOC Premise.  I will review with the team responsible and confirm.  

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-02-2025 22:57
From: Pablo Barnech
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

yes, it's BYOC Cloud. 

Ok, thanks for your explanation but, so, what is the purpouse of that custom property? I don't understand, if there is no option to choose the ciphers offered by Genesys, why we can configure that custom property? and why the platform checks the value? because as I said before if I put, for example "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" I can save the configuration without any problem, but if I put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" I receive an error.
But, don't worry and thanks for your answer and explanation. 

Regards

Pablo

------------------------------
Pablo Barnech


Original Message:
Sent: 09-02-2025 22:34
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Is this for BYOC Cloud or BYOC Premise?  For BYOC Cloud there is no option to choose the ciphers that are offered by tge GenesysCloud endpoint.  This page details what is offered https://help.mypurecloud.com/articles/tls-trunk-transport-protocol-specification/  Each connection can be controlled by the remote endpoint.  Configuring your available ciphers and preference on the remote endpoint (customer device) will control which cipher is selected during the TLS handshake. 

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-02-2025 22:25
From: Pablo Barnech
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hi Phil, 

thanks for your answer. You are totally right, it's a custom trunk property because the customer wants to configure only the ciphers supported by the Cisco CUBE (they don't want to let Genesys to send all its supported ciphers) which is connected to Genesys Cloud  and we could configure the other ciphers without any problem, but this in particular ("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256") gave us an error. So maybe you know if there is any problem with the ciphers itself or maybe there is something wrong with the custom property implementation.
I hope I have been more clear
Again, thanks in advance
Regards
Pablo

------------------------------
Pablo Barnech


Original Message:
Sent: 09-02-2025 22:14
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hello @Pablo Barnech

What is "trunk_transport_tls_ciphers"?  That looks like a Custom trunk property name for configuring Genesys Cloud external trunks; however, tgere is no Genesys Cloud configuration needed for this deprecation.   Can you help me understand what you are trying to configure?  The change to select particular ciphers should only be needed on your voice device (SBC, PBX, managed trunk, etc)

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-02-2025 21:30
From: Pablo Barnech
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hi Phill, 

Thanks for the excellent explanation.

I have a question, We are trying to configure a trunk_transport_tls_ciphers but when we put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", we receive the following error: "Validation error on field 'trunk_transport_tls_ciphers'" and as I understood this is one of the supported ciphers. any idea?
Thanks in advance
Pablo

------------------------------
Pablo Barnech

Hi @Phil Whitener, thank you so much for your reply and help, 

however there´s something I still don´t understand,

You said: Please note that BYOC Cloud trunks do not have any TLS cipher configuration and why the original post states: "Nothing needs to be changed in your Genesys Cloud configuration - the use of these ciphers is determined by your remote SIP endpoint; most likely a Session Border Controller (SBC), SIP Trunk, or carrier configuration, or carrier device.

The thing is that on those same trunks I´m trying to update the config with ECDHE suite, there´s already a custom config set up with the following trunk_transport_tls_ciphers as list: "TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_256_CBC_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA"
This is quite confusing, bc you say that BYOC trunks do not have any TLS cipher configuration, but in my production setup I see that they actually have.

Regarding this: " We will not eliminate the ciphers that are in use prior to a solution that allows for a transition for these trunks."
Great, so an you confirm the announced deprecation date (22 Sept) will be posponed at least for Genesys-RIBBON SBC interop trunks??

Again thank you,

------------------------------
LAURA MARIA LAFUENTE VALLE
Spain
------------------------------


Original Message:
Sent: 09-09-2025 10:42
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

@LAURA MARIA LAFUENTE VALLE we are monitoring the cipher usage and are aware of the Ribbon compatibility issues.  We will not eliminate the ciphers that are in use prior to a solution that allows for a transition for these trunks.  Although Genesys and Ribbon have a common TLS cipher, currently Genesys only supports the elliptical curve you mentioned, secp384r1, while Ribbon only supports the elliptical curve secp256r1.  This creates an incompatibility with that cipher, and is why we see those trunks using one of the ciphers we plan to deprecate.  Please note that BYOC Cloud trunks do not have any TLS cipher configuration and why the original post states: "Nothing needs to be changed in your Genesys Cloud configuration - the use of these ciphers is determined by your remote SIP endpoint; most likely a Session Border Controller (SBC), SIP Trunk, or carrier configuration, or carrier device."  That is likely why you are seeing a validation error.  We will retain these ciphers in regions where we know they are being used to ensure these trunks continue to work until we can find a solution that allows for the deprecation.

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-09-2025 07:28
From: LAURA MARIA LAFUENTE VALLE
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hi Phil

I have a similar situation with a particular ORG in Genesys Cloud for one of my customers. 

We got two Generic BYOC PBX trunks between Ribbon SBCs and Genesys Cloud platform and very worried about the impact on customers daily activities this deprecation will have.

According Ribbon, they recommend using ECDHE ciphers with compatible Key Share between Genesys and SBCs (secp384r1 if I understood correctly). Based on this, I found that the only compatible cipher suite between SBCs and Genesys meeting this requirement will be TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

When I try to set this cipher suite in the Genesys trunk config screen, I get a "Validation error" and cannot save the config. Same situation as @Pablo Barnech explained earlier in this topic. So can you please help clarify how we can set up this suite then??

------------------------------
LAURA MARIA LAFUENTE VALLE
NA


Original Message:
Sent: 09-02-2025 23:03
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

I assume that is a BYOC Premise property and we hide the UI configuration because it is not valid for BYOC Cloud but we don't prohibit setting the value based on the trunk type.  But it is not valid for BYOC Cloud and presumably ignored.  If it is rejecting that value it might not be an available cipher for BYOC Premise.  I will review with the team responsible and confirm.  

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-02-2025 22:57
From: Pablo Barnech
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

yes, it's BYOC Cloud. 

Ok, thanks for your explanation but, so, what is the purpouse of that custom property? I don't understand, if there is no option to choose the ciphers offered by Genesys, why we can configure that custom property? and why the platform checks the value? because as I said before if I put, for example "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" I can save the configuration without any problem, but if I put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" I receive an error.
But, don't worry and thanks for your answer and explanation. 

Regards

Pablo

------------------------------
Pablo Barnech


Original Message:
Sent: 09-02-2025 22:34
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Is this for BYOC Cloud or BYOC Premise?  For BYOC Cloud there is no option to choose the ciphers that are offered by tge GenesysCloud endpoint.  This page details what is offered https://help.mypurecloud.com/articles/tls-trunk-transport-protocol-specification/  Each connection can be controlled by the remote endpoint.  Configuring your available ciphers and preference on the remote endpoint (customer device) will control which cipher is selected during the TLS handshake. 

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-02-2025 22:25
From: Pablo Barnech
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hi Phil, 

thanks for your answer. You are totally right, it's a custom trunk property because the customer wants to configure only the ciphers supported by the Cisco CUBE (they don't want to let Genesys to send all its supported ciphers) which is connected to Genesys Cloud  and we could configure the other ciphers without any problem, but this in particular ("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256") gave us an error. So maybe you know if there is any problem with the ciphers itself or maybe there is something wrong with the custom property implementation.
I hope I have been more clear
Again, thanks in advance
Regards
Pablo

------------------------------
Pablo Barnech


Original Message:
Sent: 09-02-2025 22:14
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hello @Pablo Barnech

What is "trunk_transport_tls_ciphers"?  That looks like a Custom trunk property name for configuring Genesys Cloud external trunks; however, tgere is no Genesys Cloud configuration needed for this deprecation.   Can you help me understand what you are trying to configure?  The change to select particular ciphers should only be needed on your voice device (SBC, PBX, managed trunk, etc)

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-02-2025 21:30
From: Pablo Barnech
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hi Phill, 

Thanks for the excellent explanation.

I have a question, We are trying to configure a trunk_transport_tls_ciphers but when we put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", we receive the following error: "Validation error on field 'trunk_transport_tls_ciphers'" and as I understood this is one of the supported ciphers. any idea?
Thanks in advance
Pablo

------------------------------
Pablo Barnech

@LAURA MARIA LAFUENTE VALLE all of our trunk configuration has the same schema, some properties are used for all trunks, some is just used for premise trunks, and others are just used for cloud trunks.  In almost all cases, the items that are expected to be configured for a particular trunk show up as UI elements to configure; custom properties are not where setting are exposed.  In the case of the trunk cipher list, a selectable list appears on premise trunks because that configuration is available in that model; but that is not the case for cloud trunks so that configuration is not exposed in the UI.  If a property gets updated that is not exposed in the UI, it will show up in the custom properties area; however, that does not imply it is doing anything.  In this case you set a property that is used for premise trunks on a cloud trunk and; although it is part of the schema, that property is ignored for cloud trunks.  

We are not postponing the deprecation date completely as we will begin to disable ciphers in regions where we have not seen any usage on that published date.  But yes, we will not remove the required cipher in regions where we see usage and will likely publish an additional date after we have a path forward for the Ribbon trunks.  

Hi @Phil Whitener, thank you so much for your reply and help, 

however there´s something I still don´t understand,

You said: Please note that BYOC Cloud trunks do not have any TLS cipher configuration and why the original post states: "Nothing needs to be changed in your Genesys Cloud configuration - the use of these ciphers is determined by your remote SIP endpoint; most likely a Session Border Controller (SBC), SIP Trunk, or carrier configuration, or carrier device.

The thing is that on those same trunks I´m trying to update the config with ECDHE suite, there´s already a custom config set up with the following trunk_transport_tls_ciphers as list: "TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_256_CBC_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA"
This is quite confusing, bc you say that BYOC trunks do not have any TLS cipher configuration, but in my production setup I see that they actually have.

Regarding this: " We will not eliminate the ciphers that are in use prior to a solution that allows for a transition for these trunks."
Great, so an you confirm the announced deprecation date (22 Sept) will be posponed at least for Genesys-RIBBON SBC interop trunks??

Again thank you,

------------------------------
LAURA MARIA LAFUENTE VALLE
Spain


Original Message:
Sent: 09-09-2025 10:42
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

@LAURA MARIA LAFUENTE VALLE we are monitoring the cipher usage and are aware of the Ribbon compatibility issues.  We will not eliminate the ciphers that are in use prior to a solution that allows for a transition for these trunks.  Although Genesys and Ribbon have a common TLS cipher, currently Genesys only supports the elliptical curve you mentioned, secp384r1, while Ribbon only supports the elliptical curve secp256r1.  This creates an incompatibility with that cipher, and is why we see those trunks using one of the ciphers we plan to deprecate.  Please note that BYOC Cloud trunks do not have any TLS cipher configuration and why the original post states: "Nothing needs to be changed in your Genesys Cloud configuration - the use of these ciphers is determined by your remote SIP endpoint; most likely a Session Border Controller (SBC), SIP Trunk, or carrier configuration, or carrier device."  That is likely why you are seeing a validation error.  We will retain these ciphers in regions where we know they are being used to ensure these trunks continue to work until we can find a solution that allows for the deprecation.

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-09-2025 07:28
From: LAURA MARIA LAFUENTE VALLE
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hi Phil

I have a similar situation with a particular ORG in Genesys Cloud for one of my customers. 

We got two Generic BYOC PBX trunks between Ribbon SBCs and Genesys Cloud platform and very worried about the impact on customers daily activities this deprecation will have.

According Ribbon, they recommend using ECDHE ciphers with compatible Key Share between Genesys and SBCs (secp384r1 if I understood correctly). Based on this, I found that the only compatible cipher suite between SBCs and Genesys meeting this requirement will be TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

When I try to set this cipher suite in the Genesys trunk config screen, I get a "Validation error" and cannot save the config. Same situation as @Pablo Barnech explained earlier in this topic. So can you please help clarify how we can set up this suite then??

------------------------------
LAURA MARIA LAFUENTE VALLE
NA


Original Message:
Sent: 09-02-2025 23:03
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

I assume that is a BYOC Premise property and we hide the UI configuration because it is not valid for BYOC Cloud but we don't prohibit setting the value based on the trunk type.  But it is not valid for BYOC Cloud and presumably ignored.  If it is rejecting that value it might not be an available cipher for BYOC Premise.  I will review with the team responsible and confirm.  

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-02-2025 22:57
From: Pablo Barnech
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

yes, it's BYOC Cloud. 

Ok, thanks for your explanation but, so, what is the purpouse of that custom property? I don't understand, if there is no option to choose the ciphers offered by Genesys, why we can configure that custom property? and why the platform checks the value? because as I said before if I put, for example "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" I can save the configuration without any problem, but if I put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" I receive an error.
But, don't worry and thanks for your answer and explanation. 

Regards

Pablo

------------------------------
Pablo Barnech


Original Message:
Sent: 09-02-2025 22:34
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Is this for BYOC Cloud or BYOC Premise?  For BYOC Cloud there is no option to choose the ciphers that are offered by tge GenesysCloud endpoint.  This page details what is offered https://help.mypurecloud.com/articles/tls-trunk-transport-protocol-specification/  Each connection can be controlled by the remote endpoint.  Configuring your available ciphers and preference on the remote endpoint (customer device) will control which cipher is selected during the TLS handshake. 

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-02-2025 22:25
From: Pablo Barnech
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hi Phil, 

thanks for your answer. You are totally right, it's a custom trunk property because the customer wants to configure only the ciphers supported by the Cisco CUBE (they don't want to let Genesys to send all its supported ciphers) which is connected to Genesys Cloud  and we could configure the other ciphers without any problem, but this in particular ("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256") gave us an error. So maybe you know if there is any problem with the ciphers itself or maybe there is something wrong with the custom property implementation.
I hope I have been more clear
Again, thanks in advance
Regards
Pablo

------------------------------
Pablo Barnech


Original Message:
Sent: 09-02-2025 22:14
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hello @Pablo Barnech

What is "trunk_transport_tls_ciphers"?  That looks like a Custom trunk property name for configuring Genesys Cloud external trunks; however, tgere is no Genesys Cloud configuration needed for this deprecation.   Can you help me understand what you are trying to configure?  The change to select particular ciphers should only be needed on your voice device (SBC, PBX, managed trunk, etc)

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-02-2025 21:30
From: Pablo Barnech
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hi Phill, 

Thanks for the excellent explanation.

I have a question, We are trying to configure a trunk_transport_tls_ciphers but when we put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", we receive the following error: "Validation error on field 'trunk_transport_tls_ciphers'" and as I understood this is one of the supported ciphers. any idea?
Thanks in advance
Pablo

------------------------------
Pablo Barnech

I'm hoping for a little clarity as we ran into the same situation in our org - we have BYOC Cloud and found that we also had TLS Ciphers being listed in the custom configuration on our trunks.  I opened a Genesys Support case to get more information about the configuration, and they advised this:

"Question: Would removing the "custom" field cause TLS to fail?

 Answer:

Removing the custom field would likely cause TLS to fail
The custom field is essential for proper TLS configuration
It's recommended to maintain the custom field with proper cipher configurations"

Was Genesys Support wrong in this case and we should remove the custom configuration listing TLS Ciphers (as it's not actually doing anything)?

Additionally, the announcement for this now lists a deprecation date of 11/17 (https://help.mypurecloud.com/announcements/deprecation-byoc-cloud-sip-tls-ciphers/).  Are you able to provide the list of regions where this may not be accurate if only some are being postponed?

@LAURA MARIA LAFUENTE VALLE all of our trunk configuration has the same schema, some properties are used for all trunks, some is just used for premise trunks, and others are just used for cloud trunks.  In almost all cases, the items that are expected to be configured for a particular trunk show up as UI elements to configure; custom properties are not where setting are exposed.  In the case of the trunk cipher list, a selectable list appears on premise trunks because that configuration is available in that model; but that is not the case for cloud trunks so that configuration is not exposed in the UI.  If a property gets updated that is not exposed in the UI, it will show up in the custom properties area; however, that does not imply it is doing anything.  In this case you set a property that is used for premise trunks on a cloud trunk and; although it is part of the schema, that property is ignored for cloud trunks.  

We are not postponing the deprecation date completely as we will begin to disable ciphers in regions where we have not seen any usage on that published date.  But yes, we will not remove the required cipher in regions where we see usage and will likely publish an additional date after we have a path forward for the Ribbon trunks.  

Hi @Phil Whitener, thank you so much for your reply and help, 

however there´s something I still don´t understand,

You said: Please note that BYOC Cloud trunks do not have any TLS cipher configuration and why the original post states: "Nothing needs to be changed in your Genesys Cloud configuration - the use of these ciphers is determined by your remote SIP endpoint; most likely a Session Border Controller (SBC), SIP Trunk, or carrier configuration, or carrier device.

The thing is that on those same trunks I´m trying to update the config with ECDHE suite, there´s already a custom config set up with the following trunk_transport_tls_ciphers as list: "TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_256_CBC_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA"
This is quite confusing, bc you say that BYOC trunks do not have any TLS cipher configuration, but in my production setup I see that they actually have.

Regarding this: " We will not eliminate the ciphers that are in use prior to a solution that allows for a transition for these trunks."
Great, so an you confirm the announced deprecation date (22 Sept) will be posponed at least for Genesys-RIBBON SBC interop trunks??

Again thank you,

------------------------------
LAURA MARIA LAFUENTE VALLE
Spain


Original Message:
Sent: 09-09-2025 10:42
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

@LAURA MARIA LAFUENTE VALLE we are monitoring the cipher usage and are aware of the Ribbon compatibility issues.  We will not eliminate the ciphers that are in use prior to a solution that allows for a transition for these trunks.  Although Genesys and Ribbon have a common TLS cipher, currently Genesys only supports the elliptical curve you mentioned, secp384r1, while Ribbon only supports the elliptical curve secp256r1.  This creates an incompatibility with that cipher, and is why we see those trunks using one of the ciphers we plan to deprecate.  Please note that BYOC Cloud trunks do not have any TLS cipher configuration and why the original post states: "Nothing needs to be changed in your Genesys Cloud configuration - the use of these ciphers is determined by your remote SIP endpoint; most likely a Session Border Controller (SBC), SIP Trunk, or carrier configuration, or carrier device."  That is likely why you are seeing a validation error.  We will retain these ciphers in regions where we know they are being used to ensure these trunks continue to work until we can find a solution that allows for the deprecation.

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-09-2025 07:28
From: LAURA MARIA LAFUENTE VALLE
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hi Phil

I have a similar situation with a particular ORG in Genesys Cloud for one of my customers. 

We got two Generic BYOC PBX trunks between Ribbon SBCs and Genesys Cloud platform and very worried about the impact on customers daily activities this deprecation will have.

According Ribbon, they recommend using ECDHE ciphers with compatible Key Share between Genesys and SBCs (secp384r1 if I understood correctly). Based on this, I found that the only compatible cipher suite between SBCs and Genesys meeting this requirement will be TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

When I try to set this cipher suite in the Genesys trunk config screen, I get a "Validation error" and cannot save the config. Same situation as @Pablo Barnech explained earlier in this topic. So can you please help clarify how we can set up this suite then??

------------------------------
LAURA MARIA LAFUENTE VALLE
NA


Original Message:
Sent: 09-02-2025 23:03
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

I assume that is a BYOC Premise property and we hide the UI configuration because it is not valid for BYOC Cloud but we don't prohibit setting the value based on the trunk type.  But it is not valid for BYOC Cloud and presumably ignored.  If it is rejecting that value it might not be an available cipher for BYOC Premise.  I will review with the team responsible and confirm.  

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-02-2025 22:57
From: Pablo Barnech
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

yes, it's BYOC Cloud. 

Ok, thanks for your explanation but, so, what is the purpouse of that custom property? I don't understand, if there is no option to choose the ciphers offered by Genesys, why we can configure that custom property? and why the platform checks the value? because as I said before if I put, for example "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" I can save the configuration without any problem, but if I put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" I receive an error.
But, don't worry and thanks for your answer and explanation. 

Regards

Pablo

------------------------------
Pablo Barnech


Original Message:
Sent: 09-02-2025 22:34
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Is this for BYOC Cloud or BYOC Premise?  For BYOC Cloud there is no option to choose the ciphers that are offered by tge GenesysCloud endpoint.  This page details what is offered https://help.mypurecloud.com/articles/tls-trunk-transport-protocol-specification/  Each connection can be controlled by the remote endpoint.  Configuring your available ciphers and preference on the remote endpoint (customer device) will control which cipher is selected during the TLS handshake. 

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-02-2025 22:25
From: Pablo Barnech
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hi Phil, 

thanks for your answer. You are totally right, it's a custom trunk property because the customer wants to configure only the ciphers supported by the Cisco CUBE (they don't want to let Genesys to send all its supported ciphers) which is connected to Genesys Cloud  and we could configure the other ciphers without any problem, but this in particular ("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256") gave us an error. So maybe you know if there is any problem with the ciphers itself or maybe there is something wrong with the custom property implementation.
I hope I have been more clear
Again, thanks in advance
Regards
Pablo

------------------------------
Pablo Barnech


Original Message:
Sent: 09-02-2025 22:14
From: Phil Whitener
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hello @Pablo Barnech

What is "trunk_transport_tls_ciphers"?  That looks like a Custom trunk property name for configuring Genesys Cloud external trunks; however, tgere is no Genesys Cloud configuration needed for this deprecation.   Can you help me understand what you are trying to configure?  The change to select particular ciphers should only be needed on your voice device (SBC, PBX, managed trunk, etc)

------------------------------
Phil Whitener
Genesys - Employees


Original Message:
Sent: 09-02-2025 21:30
From: Pablo Barnech
Subject: BYOC Cloud TLS Cipher Deprecation - 2025

Hi Phill, 

Thanks for the excellent explanation.

I have a question, We are trying to configure a trunk_transport_tls_ciphers but when we put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", we receive the following error: "Validation error on field 'trunk_transport_tls_ciphers'" and as I understood this is one of the supported ciphers. any idea?
Thanks in advance
Pablo

------------------------------
Pablo Barnech

Hello,

For one of my clients, I am still receiving alerts from Genesys indicating that the org is still impacted by this deprecation.
In the TLS trunk configuration, media tab, there is no trace of problematic ciphers, and the client has checked with their operator who apparently does not use them.
Is there an easy way to identify the trunk(s) triggering the alert on your side?

Hi Phil,

I captured a Wireshark trace in production and did not find any Client Hello or Server Hello packets.

In our sandbox environment, we disabled and re-enabled an external trunk in Genesys Cloud, but I still did not observe any related traffic.

We are wondering whether this TLS negotiation only occurs when a trunk is initially created or enabled.

How can we trigger this negotiation in order to identify which cipher is used for inbound and outbound calls? Is there any action required at the SBC level to provoke this exchange?

Thank you,

Guillermo