End of TLS 1.1 and weak cipher support

Following industry best practices, DocuSign is scheduling the removal of certain weak ciphers on January 12th 2021 and the end of TLSv1.1 support on June 9th 2021.

The PCI Security Standards Council has mandated that companies that wish to remain PCI Data Security Standard (PCI DSS) compliant must have transitioned to TLS 1.2 by June of 2020 and they have already done so.

TLSv1.1 and some weak cipher suites are utilized by a small set of customers to support legacy integrations that utilize SOAP or REST APIs. These integrations will need to be updated to support secure, modern protocols and ciphers and is often as easy as recompiling the solution with updated libraries.

In addition to retiring the insecure TLSv1.1 protocol, DocuSign will also remove a set of cipher suites which are no longer considered secure. This includes ciphers that have an insufficient key length to securely encrypt communications.

The ciphers to be retired include the following:

  • AES256-SHA
  • DES-CBC3-SHA
  • AES128-GCM-SHA256
  • RSA-AES-128-CBC-SHA
  • RSA-AES-256-CBC-SHA
  • RSA-AES-256-CBC-SHA256
  • RSA-AES-128-CBC-SHA256

 

All current internet browsers supported by DocuSign already default to newer versions of TLS, so this change will go unnoticed by web and mobile users. TLS 1.1 support has already been removed from docusign.com earlier this year.

Key Dates:

Ciphers:

December 14th 2020: Weak cipher deprecation in stage and demo environments.
January 12th 2021: Weak cipher deprecation in production environments.

TLS 1.1:

May 11th 2021: TLS 1.1 will be deprecated in the demo environment.
June 8th 2021: TLS 1.1 will be deprecated in the production environment.
July 1st 2021: TLS 1.1 removal complete.

Read our Preparing for TLS 1.1 removal blog post for advice on how to implement these changes in your integrations.

Please contact DocuSign support with any additional questions.