End of TLS 1.1 and legacy cipher support

Following industry best practices, DocuSign is scheduling the removal of certain ciphers on January 12th 2021 and the end of TLS 1.1 support on June 9th 2021.

The PCI Security Standards Council has mandated that companies that wish to remain PCI Data Security Standard (PCI DSS) compliant must have transitioned to TLS 1.2 by June of 2020.

TLS 1.1 and some legacy cipher suites are utilized by a small set of customers to support legacy integrations that utilize SOAP or REST APIs. These integrations will need to be updated to support secure, modern protocols and ciphers. This update is often as easy as recompiling the solution with updated libraries.

In addition to retiring the TLS 1.1 protocol, DocuSign will also remove a set of cipher suites which are no longer considered secure. This includes ciphers that have an insufficient key length to securely encrypt communications.

The ciphers to be retired include the following:

  • AES256-SHA
  • AES128-GCM-SHA256
  • RSA-AES-256-CBC-SHA256
  • RSA-AES-128-CBC-SHA256


All current internet browsers supported by DocuSign already default to newer versions of TLS, so this change will go unnoticed by web and mobile users. TLS 1.1 support has already been removed from docusign.com earlier this year.

Key Dates:


January 11th 2021: Legacy cipher deprecation in stage and demo environments.
February 8th 2021: Legacy cipher deprecation in production environments.

TLS 1.1:

May 11th 2021: TLS 1.1 will be deprecated in the demo environment.
June 8th 2021: TLS 1.1 will be deprecated in the production environment.
July 1st 2021: TLS 1.1 removal complete.

Read our Preparing for TLS 1.1 removal blog post for advice on how to implement these changes in your integrations.

Please contact DocuSign support with any additional questions.