Genesys Cloud - Main

 View Only

Sign Up

Back to discussions
Expand all | Collapse all

BYOC Cloud TLS Cipher Deprecation - 2025

  Thread closed by the administrator, not accepting new replies.

  • 1.  BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 03-25-2025 10:33
    Edited by Phil Whitener 03-25-2025 11:25
    No replies, thread closed.

    Genesys recently announced an upcoming deprecation for BYOC Cloud SIP TLS ciphers.  This discussion will be for sharing more information and allowing users to ask questions regarding this deprecation.  Deprecation: BYOC Cloud SIP TLS ciphers

    In summary, Genesys is planning on removing two existing TLS ciphers from use for BYOC Cloud SIP trunks:

    • TLS_RSA_WITH_AES_256_CBC_SHA256, also referred to as AES256-SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, also referred to as ECDHE-RSA-AES256-SHA384

    These ciphers will be removed on a future date.  Genesys can track the usage of these ciphers and will communicate with customers using these ciphers to minimize impact. 

    More details about BYO Cloud TLS capabilities are listed on this page: TLS trunk transport protocol specification

    Remote SIP Endpoints

    In this discussion a "remote SIP endpoint" represents a device external from the Genesys platform that communicates with Genesys Cloud using BYOC Cloud with the SIP protocol.  This device is usually controlled and managed by telephony or network administrators or one of their partners, such as a carrier or service provider.  These devices are not controlled or managed within Genesys Cloud.  These devices determine the TLS ciphers and priority used for inbound calls into Genesys Cloud.

    BYOC Cloud SIP Endpoints

    In this discussion, a "BYOC Cloud SIP Endpoint" represents the public SIP endpoints for Genesys Cloud listed on this page: BYOC Cloud Public SIP IP Addresses.  These devices are controlled and managed by Genesys and there is no Genesys Cloud configuration required for this deprecation.  These devices determine the TLS cipher priority used for outbound calls from Genesys Cloud.  Genesys has already lowered the priority of the ciphers that will be deprecated, so they will only be selected if they are the only available ciphers.

    GC External Trunk

    In this discussion the "GC External Trunk" represents the Genesys Cloud SIP trunk configuration for the BYOC Cloud trunk.  This is the Genesys Cloud configuration where the details for the communication between the BYOC Cloud SIP Endpoints and the remote SIP endpoints is defined.  

    Nothing needs to be changed in your Genesys Cloud configuration - the use of these ciphers is determined by your remote SIP endpoint; most likely a Session Border Controller (SBC), SIP Trunk, or carrier configuration, or carrier device.  

    It is beneficial for all BYOC Cloud customers to remove these ciphers from their own remote configuration in advance to help the reporting and tracking of the usage of these ciphers.  

    Inbound Calls (Carrier or SBC to Genesys Cloud)

    When secure external inbound calls are dialed and sent to Genesys Cloud using BYOC Cloud the "remote SIP endpoint" starts a TLS negotiation with the Genesys Cloud BYOC Cloud SIP endpoints.  During this negotiation, the remote SIP endpoint provides a prioritized list of supported ciphers.  The Genesys Cloud BYOC Cloud SIP endpoints will choose the highest prioritized cipher that the remote SIP endpoint offers that Genesys Cloud also supports.  If one of the ciphers to be deprecated has the highest priority it will be selected and used.  Genesys cannot deprioritize those ciphers, that must be managed by the remote SIP endpoint.  

    Outbound Calls  (Genesys Cloud to Carrier or SBC)

    When secure external outbound calls are dialed from Genesys Cloud and sent to your carrier or telephony platform using BYOC Cloud the "BYOC Cloud SIP endpoints" start a TLS negotiation with the remote SIP endpoint.  During this negotiation, the BYOC Cloud SIP endpoints provides a prioritized list of supported ciphers; the ciphers that are being deprecated are included, but they have the lowest priority.  The remote SIP endpoint will choose the highest prioritized cipher that the BYOC Cloud SIP endpoints offers that the remote SIP endpoint also supports.  If the remote SIP endpoint only supports the ciphers to be deprecated then one will be used.

    When Genesys reports on cipher usage, any inbound call that is using a cipher to be deprecated indicates that the remote SIP endpoint is prioritizing one of those ciphers.  Any outbound calls that is using a cipher to be deprecated indicates that the remote SIP endpoint only supports one of those ciphers.

    How to determine the TLS cipher being used

    The best way to review the cipher selection is to review a packet capture of the SIP communication.  Although with TLS trunks the SIP communication will be encrypted and not visible in the capture, the TLS handshake process provides details that can be derived from the capture.  It is important to look at both inbound and outbound calls separately, as negotiating different ciphers for each call direction is common.  

    Locate the TLS Handshake Client Hello request message, expand the Client Hello and the nested Cipher Suites list.  This is the prioritized list the client sends to the server list all of the client's supported ciphers and the order it prefers for them to be selected (higher in list is higher priority).  The below list is the prioritized list that the Genesys Cloud BYOC SIP endpoints send on outbound calls.  Note that the two ciphers being deprecated (0x003d) and (0xc028) receive the lowest priority; they will only be chosen if the server does not support any of the other ciphers.

    The next message should be the Server Hello response message, expand the Server Hello and the nested Cipher Suite.  This is the one cipher that the server chose from the client's offer to use for this encrypted communication.
    The Genesys Cloud BYOC SIP endpoints are configured to choose the least secure cipher offered by the client.  If an administrator does not want a particular cipher to be used, it should not be included in the offer by the remote SIP endpoint and managed in that configuration.  
    Genesys Cloud allows for External Trunk cipher control for BYOC Premise trunks but not for BYOC Cloud trunks.  All BYOC Cloud trunks use the same TLS configuration; however, BYOC Cloud trunks cipher management can be managed by the remote SIP endpoint.
    Please leave a message on this post if additional clarification is requested. 


    #Telephony

    ------------------------------
    Phil Whitener
    Genesys Employee
    ------------------------------



  • 2.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 03-25-2025 14:24
    No replies, thread closed.

    Hey Phil,

    Thanks for that excellent break down of this change! The packet capture analysis was helpful to see as well.

    If anyone needs more info, please keep an eye on this announcement in the Resource Center.



    ------------------------------
    Jason Kleitz
    Online Community Manager/Moderator
    ------------------------------

    Original Message


  • 3.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 04-08-2025 09:20
    No replies, thread closed.

    Hello all

    Is there an estimate of when it will be done?

    Thanks

    Regards



    ------------------------------
    Soraya Granda Segovia
    m
    ------------------------------

    Original Message


  • 4.  RE: BYOC Cloud TLS Cipher Deprecation - 2025
    Best Answer

    Posted 04-08-2025 10:33
    No replies, thread closed.

    We are monitoring cipher usage and want to get to a place where we have reduced or eliminated the dependency on these two ciphers before we remove them.  Currently they are used by too many calls and the usage patterns look like removing them would cause significant impact.  Our hope is that BYOC Cloud users will review their TLS profile configurations and remove these ciphers in advance so that they remove themselves from the usage report.  Once we get to a point where we feel the deprecation is not a significant risk we will schedule the final removal of the ciphers from our endpoints.



    ------------------------------
    Phil Whitener
    Genesys - Employees
    ------------------------------

    Original Message


  • 5.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 07-15-2025 09:32
    No replies, thread closed.

    Good Afternoon,

    We recently removed the set of cipher suites as from our Ribbon 2k SBC, after which call failures began to occur. We're now wondering if the issue might be due to there being no compatible cipher suites left between the Ribbon 2k SBC and Genesys.

    We have since reverted the changes and raised a support ticket with Ribbon. In the meantime, do you have any relevant case studies or prior experience with similar issues?

    While we're not certain if the certificate itself needs reviewing, my understanding is that TLS certificates typically do not enforce or dictate cipher suite selection, so they're unlikely to be the root cause.

    I'd appreciate any insights or guidance you can share



    ------------------------------
    Rashid Adat
    ------------------------------

    Original Message


  • 6.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 07-15-2025 10:29
    No replies, thread closed.

    @Rashid Adat I have not personally heard any concerns from other Ribbon users.  I did look at this page, https://publicdoc.rbbn.com/spaces/UXDOC122/pages/451249486/Creating+and+Modifying+TLS+Profiles, which lists the following supported ciphers on Ribbon 12.2.x, of those, two are supported by both Ribbon and Genesys BYOC Cloud.  However, since they both are elliptical curve Diffie-Hellman ephemeral (ECDHE) ciphers, there also must be a elliptical curve is common.  Genesys BYOC Cloud only supports secp384r1, so to use those ciphers with your SBC, Ribbon must also support that elliptical curve.  I have been trying to dig into Ribbon documents to find their elliptical curve related configuration, however right now it seems there public documents are not available on their website.

    • TLS_CHACHA20_POLY1305_SHA256    
    • TLS_AES_256_GCM_SHA384 (TLSv1.3, not supported for TLSv1.2)
    • TLS_AES_128_GCM_SHA256 (TLSv1.3, not supported for TLSv1.2)
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 *BYOC supported
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * BYOC supported
    • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (being deprecated by BYOC Cloud)
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_256_CBC_SHA256 (being deprecated by BYOC Cloud)
    • TLS_RSA_WITH_AES_128_CBC_SHA256

    Further, you are correct that this is most likely not related to the certificate.  The certificate does provide the public key to the remote peer, and the selected cipher is dependent on the key, as long as there is a corresponding key for the selected algorithm (typically either RSA or DSA, and RSA in all of these cases) all of these ciphers will work with the same certificate.  



    ------------------------------
    Phil Whitener
    Genesys - Employees
    ------------------------------

    Original Message


  • 7.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 07-27-2025 21:06
    No replies, thread closed.

    Hi @Phil Whitener we have logged some tickets with Ribbon and Genesys in regards to this issue with our SBC 1000 & 2000 devices but currently have no workarounds.  We are currently running firmware version 12.2.0 and have tested 12.3.0 with the same issue below.

    TLS_RSA_WITH_AES_256_CBC_SHA256 is currently the only Cipher supported by both SBC 1000/2000 and PureCloud BYOC but as per the notification this will be deprecated.

    In regards to the following ciphers Ribbon SBC 1000/2000 only support the secp256r1 curve whereas Purecloud BYOD only supports the secp384r1 curve making any of the ECDHE ciphers incompatable.

    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    Ribbon support have provided me with some prerelease firmware for our SBC 1000 and I have confirmed it as working with Purecloud BYOD (supports negotiation of the following curves x448, x25519, secp256r1, secp521r1 and secp384r1)

    Ribbon inform me that software release 12.4.0 will include the new feature and is expected to be avaliable for general avaliability at the end of October.  Once avaliable we will need some time to test the firmware and schedule an upgrade to our production environment.  Would it be possible to postphone the deprication of TLS_RSA_WITH_AES_256_CBC_SHA256 until the end of November?

    Thanks,



    ------------------------------
    Brad Harper
    ------------------------------

    Original Message


  • 8.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 07-27-2025 21:41
    No replies, thread closed.

    @Brad Harper Yes, we are aware of the compatibility issues with Ribbon and are not going to proceed without an available workaround. We are watching the cipher usage and do not intend to introduce anything that will cause a disruption.  The end-state Genesys solution that is actually requiring these cipher deprecations will also support both secp256r1 and secp384r1 elliptical curves as well, but at this time we don't intend to migrate to that solution until we feel more confident that all existing connections are accounted for.  Meaning, if we enabled the end state solution, we know these Ribbon connections would work (with the overlapping support of secp256r1) but we don't need to force that move urgently and would like to see less utilization of these ciphers we need to deprecate before we proceed.



    ------------------------------
    Phil Whitener
    Genesys - Employees
    ------------------------------

    Original Message


  • 9.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 07-15-2025 10:41
    No replies, thread closed.

    @Rashid Adat It appears prior to SBC Core 09.02.05R008 the Ribbon SBC might not accept P-384 / secp384r1 as an elliptical curve.  See "SBX-118425 | SBX-118930" fixes listed in https://publicdoc.rbbn.com/spaces/SBXDOC92/pages/394218084/SBC+Core+09.02.05R008+Release+Notes



    ------------------------------
    Phil Whitener
    Genesys - Employees
    ------------------------------

    Original Message


  • 10.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 07-16-2025 06:13
    No replies, thread closed.

    Hi Phil,

    Thank you for looking into this and providing the information. On the surface, it appears that the Ribbon SBC may not support the P-384 / secp384r1 elliptical curve. The two units we're testing are running software version 12.0.1, and we're currently awaiting further feedback from the vendor.

    I'll keep you posted on any updates. In the meantime, I welcome any additional feedback you may have.



    ------------------------------
    Rashid Adat
    ------------------------------

    Original Message


  • 11.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 07-17-2025 05:57
    No replies, thread closed.

    Good Morning :-

    My Colleague :- Glynn Hayne received the following update from Ribbon , hope this anyone with similar issue :- 

    Subject: Ribbon 2K Cipher Compatibility Update   Ongoing Issue and Interim Workaround

    Dear Team,

    We have received an update from Ribbon today regarding the ongoing TLS cipher compatibility issues. This is a known and actively investigated issue that is currently being addressed by Ribbon's engineering team. Please find the detailed status and interim guidance below:

    Issue Summary:

    • There is a known issue (Reference: CHOR-13149) affecting TLS cipher compatibility between the Ribbon SBC and Genesys.

    • Multiple recent cases have confirmed that the issue lies in the mismatch of supported TLS ciphers.

    • Specifically, while both Ribbon and Genesys support ECDHE-based ciphers, a discrepancy exists in RSA cipher key share preferences:

      • Ribbon uses secp256r1

      • Genesys uses secp384r1

    Current Workaround:

    • Until a software update is released to address this discrepancy, only ECDHE-based TLS ciphers that are compatible with Genesys as identified in the official cipher support overview-should be used.

    • All other ciphers, particularly those using RSA with incompatible key shares, should be disabled on the SBC.

    Next Steps:

    • Please apply the workaround by ensuring only compatible ECDHE ciphers are enabled on your SBC.

    • Conduct testing to confirm the issue is resolved with the adjusted cipher suite.

    • Kindly report back the results of your testing to help us track progress.

    Note: Ribbon has confirmed that additional compatible TLS ciphers will be included in upcoming software releases.



    ------------------------------
    Rashid Adat
    ------------------------------

    Original Message


  • 12.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 09-02-2025 21:30
    No replies, thread closed.

    Hi Phill, 

    Thanks for the excellent explanation.

    I have a question, We are trying to configure a trunk_transport_tls_ciphers but when we put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", we receive the following error: "Validation error on field 'trunk_transport_tls_ciphers'" and as I understood this is one of the supported ciphers. any idea?
    Thanks in advance
    Pablo



    ------------------------------
    Pablo Barnech
    ------------------------------

    Original Message


  • 13.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 09-02-2025 22:14
    No replies, thread closed.

    Hello @Pablo Barnech

    What is "trunk_transport_tls_ciphers"?  That looks like a Custom trunk property name for configuring Genesys Cloud external trunks; however, tgere is no Genesys Cloud configuration needed for this deprecation.   Can you help me understand what you are trying to configure?  The change to select particular ciphers should only be needed on your voice device (SBC, PBX, managed trunk, etc)



    ------------------------------
    Phil Whitener
    Genesys - Employees
    ------------------------------

    Original Message


  • 14.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 09-02-2025 22:26
    No replies, thread closed.

    Hi Phil, 

    thanks for your answer. You are totally right, it's a custom trunk property because the customer wants to configure only the ciphers supported by the Cisco CUBE (they don't want to let Genesys to send all its supported ciphers) which is connected to Genesys Cloud  and we could configure the other ciphers without any problem, but this in particular ("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256") gave us an error. So maybe you know if there is any problem with the ciphers itself or maybe there is something wrong with the custom property implementation.
    I hope I have been more clear
    Again, thanks in advance
    Regards
    Pablo



    ------------------------------
    Pablo Barnech
    ------------------------------

    Original Message


  • 15.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 09-02-2025 22:34
    No replies, thread closed.

    Is this for BYOC Cloud or BYOC Premise?  For BYOC Cloud there is no option to choose the ciphers that are offered by tge GenesysCloud endpoint.  This page details what is offered https://help.mypurecloud.com/articles/tls-trunk-transport-protocol-specification/  Each connection can be controlled by the remote endpoint.  Configuring your available ciphers and preference on the remote endpoint (customer device) will control which cipher is selected during the TLS handshake. 



    ------------------------------
    Phil Whitener
    Genesys - Employees
    ------------------------------

    Original Message


  • 16.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 09-02-2025 22:58
    No replies, thread closed.

    yes, it's BYOC Cloud. 

    Ok, thanks for your explanation but, so, what is the purpouse of that custom property? I don't understand, if there is no option to choose the ciphers offered by Genesys, why we can configure that custom property? and why the platform checks the value? because as I said before if I put, for example "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" I can save the configuration without any problem, but if I put "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" I receive an error.
    But, don't worry and thanks for your answer and explanation. 

    Regards

    Pablo



    ------------------------------
    Pablo Barnech
    ------------------------------

    Original Message


  • 17.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 09-02-2025 23:04
    No replies, thread closed.

    I assume that is a BYOC Premise property and we hide the UI configuration because it is not valid for BYOC Cloud but we don't prohibit setting the value based on the trunk type.  But it is not valid for BYOC Cloud and presumably ignored.  If it is rejecting that value it might not be an available cipher for BYOC Premise.  I will review with the team responsible and confirm.  



    ------------------------------
    Phil Whitener
    Genesys - Employees
    ------------------------------

    Original Message


  • 18.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 09-09-2025 07:28
    Edited by LAURA MARIA LAFUENTE VALLE 09-09-2025 07:59
    No replies, thread closed.

    Hi Phil

    I have a similar situation with a particular ORG in Genesys Cloud for one of my customers. 

    We got two Generic BYOC PBX trunks between Ribbon SBCs and Genesys Cloud platform and very worried about the impact on customers daily activities this deprecation will have.

    According Ribbon, they recommend using ECDHE ciphers with compatible Key Share between Genesys and SBCs (secp384r1 if I understood correctly). Based on this, I found that the only compatible cipher suite between SBCs and Genesys meeting this requirement will be TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.

    When I try to set this cipher suite in the Genesys trunk config screen, I get a "Validation error" and cannot save the config. Same situation as @Pablo Barnech explained earlier in this topic. So can you please help clarify how we can set up this suite then??



    ------------------------------
    LAURA MARIA LAFUENTE VALLE
    NA
    ------------------------------

    Original Message


  • 19.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 09-09-2025 10:42
    No replies, thread closed.

    @LAURA MARIA LAFUENTE VALLE we are monitoring the cipher usage and are aware of the Ribbon compatibility issues.  We will not eliminate the ciphers that are in use prior to a solution that allows for a transition for these trunks.  Although Genesys and Ribbon have a common TLS cipher, currently Genesys only supports the elliptical curve you mentioned, secp384r1, while Ribbon only supports the elliptical curve secp256r1.  This creates an incompatibility with that cipher, and is why we see those trunks using one of the ciphers we plan to deprecate.  Please note that BYOC Cloud trunks do not have any TLS cipher configuration and why the original post states: "Nothing needs to be changed in your Genesys Cloud configuration - the use of these ciphers is determined by your remote SIP endpoint; most likely a Session Border Controller (SBC), SIP Trunk, or carrier configuration, or carrier device."  That is likely why you are seeing a validation error.  We will retain these ciphers in regions where we know they are being used to ensure these trunks continue to work until we can find a solution that allows for the deprecation.



    ------------------------------
    Phil Whitener
    Genesys - Employees
    ------------------------------

    Original Message


  • 20.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 09-11-2025 06:23
    Edited by LAURA MARIA LAFUENTE VALLE 09-11-2025 06:24
    No replies, thread closed.

    Hi @Phil Whitener, thank you so much for your reply and help, 

    however there´s something I still don´t understand,

    You said: Please note that BYOC Cloud trunks do not have any TLS cipher configuration and why the original post states: "Nothing needs to be changed in your Genesys Cloud configuration - the use of these ciphers is determined by your remote SIP endpoint; most likely a Session Border Controller (SBC), SIP Trunk, or carrier configuration, or carrier device.

    The thing is that on those same trunks I´m trying to update the config with ECDHE suite, there´s already a custom config set up with the following trunk_transport_tls_ciphers as list: "TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_256_CBC_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA"
    This is quite confusing, bc you say that BYOC trunks do not have any TLS cipher configuration, but in my production setup I see that they actually have.

    Regarding this: " We will not eliminate the ciphers that are in use prior to a solution that allows for a transition for these trunks."
    Great, so an you confirm the announced deprecation date (22 Sept) will be posponed at least for Genesys-RIBBON SBC interop trunks??

    Again thank you,



    ------------------------------
    LAURA MARIA LAFUENTE VALLE
    Spain
    ------------------------------

    Original Message


  • 21.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 09-11-2025 10:37
    No replies, thread closed.

    @LAURA MARIA LAFUENTE VALLE all of our trunk configuration has the same schema, some properties are used for all trunks, some is just used for premise trunks, and others are just used for cloud trunks.  In almost all cases, the items that are expected to be configured for a particular trunk show up as UI elements to configure; custom properties are not where setting are exposed.  In the case of the trunk cipher list, a selectable list appears on premise trunks because that configuration is available in that model; but that is not the case for cloud trunks so that configuration is not exposed in the UI.  If a property gets updated that is not exposed in the UI, it will show up in the custom properties area; however, that does not imply it is doing anything.  In this case you set a property that is used for premise trunks on a cloud trunk and; although it is part of the schema, that property is ignored for cloud trunks.  

    We are not postponing the deprecation date completely as we will begin to disable ciphers in regions where we have not seen any usage on that published date.  But yes, we will not remove the required cipher in regions where we see usage and will likely publish an additional date after we have a path forward for the Ribbon trunks.  



    ------------------------------
    Phil Whitener
    Genesys - Employees
    ------------------------------

    Original Message


  • 22.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 09-12-2025 09:22
    No replies, thread closed.

    I'm hoping for a little clarity as we ran into the same situation in our org - we have BYOC Cloud and found that we also had TLS Ciphers being listed in the custom configuration on our trunks.  I opened a Genesys Support case to get more information about the configuration, and they advised this:

    "Question: Would removing the "custom" field cause TLS to fail?

     Answer:

    Removing the custom field would likely cause TLS to fail
    The custom field is essential for proper TLS configuration
    It's recommended to maintain the custom field with proper cipher configurations"

    Was Genesys Support wrong in this case and we should remove the custom configuration listing TLS Ciphers (as it's not actually doing anything)?

    Additionally, the announcement for this now lists a deprecation date of 11/17 (https://help.mypurecloud.com/announcements/deprecation-byoc-cloud-sip-tls-ciphers/).  Are you able to provide the list of regions where this may not be accurate if only some are being postponed?



    ------------------------------
    William Sparapani
    NA
    ------------------------------

    Original Message


  • 23.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 09-12-2025 11:20
    No replies, thread closed.

    @William Sparapani leaving the custom properties will not cause any issue, but I confirmed that they are not used for BYOC Cloud trunks (but they are vital for BYOC Premise trunks).  It seems at some point we populated that value on BYOC Cloud trunks with default values as I confirmed my trunks that have been around a long time do now have that property show up in Custom properties; however, newer trunks no longer set a value and if you query the trunkBaseSettings via API the property is not present unless it was set manually.  I tested a BYOC Cloud trunk before and after removing the "trunk_transport_tls_ciphers" property and it worked the same both ways.  You do not need to remove the property as it is not causing any issue, but it is not needed.  If you prefer to remove it, ensure the trunk is a BYOC Cloud trunk, save the previous value (mine were set as "List" with three comma separated double quoted items: "TLS_RSA_WITH_AES_256_GCM_SHA384","TLS_RSA_WITH_AES_256_CBC_SHA256","TLS_RSA_WITH_AES_256_CBC_SHA"), for extra safety make the change after hours (even though the property is not used, it will still cause a configuration change to be pushed out), and test the trunk thoroughly following the change (inbound and outbound, etc).



    ------------------------------
    Phil Whitener
    Genesys - Employees
    ------------------------------

    Original Message


  • 24.  RE: BYOC Cloud TLS Cipher Deprecation - 2025

    Posted 10-02-2025 12:34
    No replies, thread closed.

    Hello,

    For one of my clients, I am still receiving alerts from Genesys indicating that the org is still impacted by this deprecation.
    In the TLS trunk configuration, media tab, there is no trace of problematic ciphers, and the client has checked with their operator who apparently does not use them.
    Is there an easy way to identify the trunk(s) triggering the alert on your side?



    ------------------------------
    Amalric Villain
    ------------------------------

    Original Message


Related Content