Skip to Content
0%

Salesforce Recommends Transitioning from RSA Key Exchanges to TLS 1.3

Transitioning to TLS 1.3 enhances both security and network performance.
Transitioning to TLS 1.3 enhances both security and network performance.

Salesforce strongly recommends that customers transition from RSA key exchanges to TLS 1.3 for more secure connections. Learn how this change strengthens your organization’s security posture.

To uphold our commitment to customer trust, Salesforce strongly recommends that customers transition from RSA key exchanges to TLS 1.3, a more enhanced Transport Layer Security (TLS) measure. TLS is a widely used protocol that encrypts data and verifies the identities of users and servers communicating online, and TLS 1.3 offers superior security and performance benefits to customers.

While Salesforce strongly recommends transitioning to TLS 1.3 and modern encryption methods, TLS 1.2 will remain supported, as it meets the requirements for Perfect Forward Secrecy (PFS). While we’ll still support RSA key exchanges for all incoming TLS connections, using RSA exchanges can affect the security and efficiency of your network communications.

Here’s how customers, especially admins, can prepare accordingly.

Why does Salesforce recommend TLS 1.3 over RSA keys?

To establish secure network connections, TLS uses key exchanges during the handshake process. Historically, TLS has allowed the choice of either static RSA keys or Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) keys for this exchange. However, there are a few risks to be aware of when using RSA keys. Legacy encryption systems often have vulnerabilities, leading to an increased risk of data breaches, brute force attacks, and man-in-the-middle (MITM) attacks. To learn more about encryption, check out this article on What is Data Encryption, And How Does It Work

So, why does Salesforce recommend moving to TLS 1.3? Starting in September 2024, NIST recommends that applications support TLS 1.3 for its enhanced security features and its ability to support post-quantum cryptography. As part of our ongoing efforts to eliminate outdated encryption techniques, we’re advising customers to discontinue the use of RSA keys in favor of TLS 1.3.

Key benefits for customers

Salesforce’s implementation of TLS 1.3 for incoming connections to Hyperforce and organizations using the Salesforce Edge Network is a significant advancement in security, providing improved encryption.

This new process ensures that data transmitted between customers and Salesforce is more secure, reducing the risk of interception or unauthorized access:

  • Always changing security keys: TLS 1.3 improves security by changing keys for every session, which guards against MITM and brute force attacks. By using a unique encryption key for each session, the impact of a compromised credential is limited to that session alone.
  • Improved performance: Typically, handshakes involve verification and mutual agreements to establish secure connections between clients and servers. The TLS 1.3 protocol streamlines the handshake process to reduce latency (requires only one round trip as opposed to two) and overhead, which can lead to better performance and an improved user experience.

Next steps for Salesforce customers

To ensure a smooth transition to TLS 1.3, it’s recommended that customers review and adjust their software environment, especially when it comes to Advanced Encryption Standard (AES). Making the adjustments now will help maintain strong and uninterrupted network connections.

Step 1: Ensure compatibility with AES encryption

If you’re using Sales Cloud, Service Cloud, or Experience Cloud, you’ll need to properly configure your encryption to make sure it’s compatible with your software environment. There are two options customers can choose from to ensure your systems are secure and up-to-date before moving forward:

  • Option 1: Check your Cipher Suites – Make sure your software environment supports AES encryption with either 128-bit or 256-bit keys, using the ECDHE key exchange.
    • Use Galois Counter Mode (GCM): If available, opt for the GCM block cipher mode. It’s a modern and secure way to encrypt your data.
  • Option 2: Fallback Option – If your software environment doesn’t support GCM, you can use the Cipher Block Chaining (CBC) mode for compatibility. It’s not as advanced as GCM but will keep your data secure.

Step 2: Enable TLS 1.3 or ECDHE

Transport Lay Security settings in Login History view / Salesforce product

Now that you’ve configured your encryption settings, here’s how you can turn on TLS 1.3 or ECDHE key exchanges. We strongly encourage customers to choose one of these options to ensure secure network performance. Once you’re ready to enable TLS 1.3 or ECDHE, follow these steps:

  • Step 1: Turn on either TLS 1.3 or ECDHE within your software environment to become compatible with this new change. Go to your Login History to create a custom list view to show logins where TLS Cipher Suite doesn’t contain “ECDHE” but uses “TLSv1.2” (shown in above image). Conveniently, TLS 1.3 doesn’t have cipher suites using RSA key exchanges.
  • Step 2: Review your Salesforce organization’s login history to ensure the TLS Cipher Suite only shows entries that contain “ECDHE” when the protocol is “TLSv1.2”. 
  • Step 3: Once RSA keys are disabled in your software environment, the Salesforce login history shouldn’t show cipher suites like AES256-SHA256 or AES256-SHA. All logins with “TLSv1.3” as the protocol implicitly use ECDHE key exchanges. We recommend that you test this change in a sandbox before you update production. Refer to this knowledge article for additional instructions.

Note: Turning off RSA key exchanges may disrupt TLS connections behind such logins. If you encounter disruptions, reach out to support via Salesforce Help

Note: If you’re a GovCloud customer, there’s no change required from your end. For details, see the Supported Cipher and TLS versions for Government Cloud article.

Learn more about this important security recommendation

Transitioning to TLS 1.3 enhances both security and network performance. It offers stronger protection for your data, faster connections, and improved encryption–all key factors in strengthening your overall security infrastructure. Have more questions? Check out our knowledge article or reach out to Support through Salesforce Help.

Security best practices

Trust is our #1 value. Explore our resources to learn about our security best practices.

Get the latest articles in your inbox.