From Microsoft Corporation
Technical Bulletin MC297438 · Published Nov 10, 2021 · Last updated Dec 14, 2021
Action required by Feb 1, 2022
Updated December 14, 2021: We have updated the timing below to provide additional time to take action.
We’re making some changes to Direct Routing SIP interface.
On February 1st, 2022 (previously January 3rd 2022), to provide the best-in-class encryption to our customers, we will begin retiring Transport Layer Security (TLS) versions 1.0 and 1.1 and begin obligating TLS1.2 usage for the Direct Routing SIP interface.
- The move to TLS 1.2 is to ensure that our service is secure by default and in alignment with the rest of Microsoft 365 services as previously communicated (MC126199 in Dec 2017, MC128929 in Feb 2018, MC186827 in July 2019, MC218794 in July 2020, MC240160 in February 2021, and MC292797 in October 2021).
Note: If your organization has already taken steps to migrate from TLS 1.0 and 1.1, you can safely disregard this message.
How this will affect your organization:
To provide the best-in-class encryption to our customers, we will be retiring Transport Layer Security (TLS) versions 1.0 and 1.1 beginning February 1st, 2022 (previously January 3rd, 2022) and will begin forcing TLS1.2 usage for the Direct Routing SIP interface.
- To avoid any service impact, please make sure that your SBCs are configured to support TLS 1.2 and are able to connect using one of the following cipher suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 i.e. ECDHE-RSA-AES256-GCM-SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 i.e. ECDHE-RSA-AES128-GCM-SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 i.e. ECDHE-RSA-AES256-SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 i.e. ECDHE-RSA-AES128-SHA256
What you need to do to prepare:
Review your SBCs and ensure they are configured to support TLS 1.2.