TLS 1.0 and 1.1 disablement on the Pexip Service

In line with best practice described in IETF RFC 8996 we have removed support for TLS 1.0 and 1.1. This change, implemented in May 2022, affects provisioning of registered hardware video endpoints, and all SIP call scenarios, including calls from devices that are not registered with the Pexip Service.

Impact of the change

Any devices that are still running TLS 1.0 or 1.1 can no longer register with the service, and any unregistered devices (i.e. any using a different call control) may not be able to connect to calls or may connect unencrypted.

If your device doesn't support TLS 1.2:

  • You may need to upgrade the firmware to a version that supports TLS 1.2.
  • It may be that your hardware video endpoint is not capable of supporting TLS 1.2 in which case we recommend contacting your partner to discuss the options available.

Please note the service automatically negotiates with your hardware video endpoint to determine which TLS version to use so you do not need to change your device's TLS configuration. If you set your device to use a specific version of TLS it may stop working with the service.

Known impacts

If your hardware video endpoint is not listed below, you must check your device as shown in the diagram.

These endpoints are not capable of running TLS 1.2 and need to be replaced:

  • Cisco MXP
  • Cisco E20

These devices need to have their firmware updated:

  • Cisco devices with software older than TC7.3.11
  • Cisco devices with software older than CE9.1.3

  • Polycom HDX with software older than v3.1.7
  • Polycom Group series with software older than v5.0.0

For more information about Cisco products' compatibility with TLS 1.2, see Cisco's TLS 1.2 Compatibility Matrix for Cisco Collaboration Products.

Summary of different scenarios

Here's an outline of the call and registration scenarios resulting from this change.

Pexip customers and guests from other organizations:

  • When using a device that supports TLS 1.2 and is configured to use encryption "when possible" or "always", the connection to the service will always use TLS 1.2.
  • If using an unregistered SIP device that's running TLS 1.0 or 1.1:

    • If configured to use encryption when possible, the device will connect to the service with encryption off. The other participant connections will stay encrypted, but the conference itself is potentially compromised if the traffic to that unencrypted participant is intercepted.
    • If configured to use encryption always, the device will not be able to connect to the service.

Pexip customers only:

  • If using a device that's registered with the service but not capable of using TLS 1.2, it will stop working with the service.
  • If you want to activate and provision a device with the service, it needs to support TLS 1.2.