IMPORTANT: Starting May 1, 2025, Salesforce will phase out RSA Key Exchanges for TLS connections.

Salesforce is enhancing Transport Layer Security (TLS) measures for customers. Starting May 1, 2025, Salesforce will no longer support RSA key exchanges for all incoming TLS connections. TLS 1.3 will become the preferred protocol for Salesforce, but TLS 1.2 will continue to be supported since it meets the requirement for Perfect Forward Secrecy (PFS). This decision is part of a broader effort to phase out legacy encryption methods in accordance with industry standards. Here’s how customers can prepare for the upcoming transition.

Why is Salesforce phasing out RSA keys in favor of TLS 1.3?

To establish secure network connections, TLS uses key exchanges during the handshake process. Historically, TLS has allowed the choice of either static RSA keys or Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) keys for this exchange. However, there are a few risks to be aware of when using RSA keys. Legacy encryption systems often have vulnerabilities, leading to an increased risk of data breaches, brute force attacks, and man-in-the-middle (MITM) attacks. To learn more about encryption, check out this article on What is Data Encryption, And How Does It Work. 

So, why is Salesforce moving to TLS 1.3? Starting in September 2024, NIST recommends that applications support TLS 1.3 for its enhanced security features and its ability to support post-quantum cryptography. As part of our ongoing efforts to eliminate outdated encryption techniques, we’re discontinuing the use of RSA keys in favor of TLS 1.3.

Key benefits for customers

Salesforce’s implementation of TLS 1.3 for incoming connections to Hyperforce and organizations using the Salesforce Edge Network is a significant advancement in security, providing improved encryption.

This new process ensures that data transmitted between customers and Salesforce is more secure, reducing the risk of interception or unauthorized access:

• Always changing security keys: TLS 1.3 improves security by changing keys for every session, which guards against MITM and brute force attacks. By using a unique encryption key for each session, the impact of a compromised credential is limited to that session alone.
• Improved performance: Typically, handshakes involve verification and mutual agreements to establish secure connections between clients and servers. The TLS 1.3 protocol streamlines the handshake process to reduce latency (requires only one round trip as opposed to two) and overhead, which can lead to better performance and an improved user experience.

Customers can still use TLS 1.2 with compliant cipher suites. Sales Cloud, Service Cloud, and Experience Cloud support TLS 1.3 for all connections, providing enhanced security for those interactions when TLS 1.3 is used.

Next steps for Salesforce customers

To ensure a smooth transition and maintain compatibility with Salesforce services, customers need to make some adjustments to their software environment, specifically regarding Advanced Encryption Standard (AES). This will help avoid potential disruptions in network connections.

Step 1: Ensure compatibility with AES encryption

If you are using Sales Cloud, Service Cloud, or Experience Cloud, you’ll need to properly configure your encryption to make sure it’s compatible with your software environment. There are two options customers can choose from to ensure your systems are secure and up-to-date before moving forward:

• Option 1: Check your Cipher Suites – Make sure your software environment supports AES encryption with either 128-bit or 256-bit keys, using the ECDHE key exchange.
  • Use Galois Counter Mode (GCM): If available, opt for the GCM block cipher mode. It’s a modern and secure way to encrypt your data.
• Option 2:  Fallback Option – If your software environment doesn’t support GCM, you can use the Cipher Block Chaining (CBC) mode for compatibility. It’s not as advanced as GCM but will keep your data secure.

NOTE: Moving away from RSA key exchanges also means phasing out older AES cipher suites that use SHA-1 signatures. Starting on May 1, 2025, Salesforce plans to only support cipher suites with SHA-2 signatures, either 256 bits or 384 bits. For a list of supported cipher suites, please read this help article.

Step 2: Enable TLS 1.3 or ECDHE

Now that you’ve configured your encryption settings, here’s how you can turn on TLS 1.3 or ECDHE key exchanges. We’ll require customers to enable either TLS 1.3 or ECDHE key exchanges for this upcoming change by May 1, 2025. TLS 1.3 is preferred. Once you’re ready to enable TLS 1.3 or ECDHE, follow these steps:

• Step 1: Turn on either TLS 1.3 or ECDHE within your software environment to become compatible with this new change. Go to your Login History to create a custom list view to show logins where TLS Cipher Suite does not contain “ECDHE” but uses “TLSv1.2” (shown in above image). Conveniently, TLS 1.3 does not have cipher suites using RSA key exchanges. The displayed logins in this list view are unlikely to work after May 1, 2025.
• Step 2: Review your Salesforce organization’s login history to ensure the TLS Cipher Suite only shows entries that contain “ECDHE” when the protocol is “TLSv1.2”. 
• Step 3: Once RSA keys are disabled in your software environment, the Salesforce login history should not show cipher suites like AES256-SHA256 or AES256-SHA. All logins with “TLSv1.3” as the protocol implicitly use ECDHE key exchanges. We recommend that you test this change in a sandbox before you update production. Refer to this knowledge article for additional instructions.

Note: Turning off RSA key exchanges may disrupt TLS connections behind such logins. If you encounter disruptions, reach out to support via Salesforce Help. 

Note:  If you’re a GovCloud customer, there’s no change required from your end. For details, see the Supported Cipher and TLS versions for Government Cloud article.

Learn more about this important security change

The decision to deprecate RSA key exchanges is part of a strategic initiative to enhance overall security by retiring outdated encryption methods. If you have further questions or need help with the process, please contact Support via Salesforce Help.