TLS 1.0 and 1.1 disablement on the Pexip Service

In line with best practice described in IETF RFC 8996 we are removing support for TLS 1.0 and 1.1. This change affects provisioning of registered hardware video endpoints, and all SIP call scenarios, including calls from devices that are not registered with the Pexip Service.

This change took effect from 30th April 2022 and we expect the full rollout to take approximately one month, after which time TLS 1.0 and 1.1 will be fully disabled for all endpoints.

Preparing for the change

You must check if any of your Pexip-registered or unregistered hardware video endpoints are running firmware that doesn't support TLS 1.2. If so, you must have taken action prior to 30th April 2022 to ensure that your device continues to work on the service.

Registered devices that are still running TLS 1.0 or 1.1 will stop working with the service, and unregistered devices (i.e. any using a different call control) may not be able to connect to calls or may connect unencrypted.

If your device doesn't currently support TLS 1.2:

  • You may need to upgrade the firmware to a version that supports TLS 1.2.
  • It may be that your hardware video endpoint is not capable of supporting TLS 1.2 in which case we recommend contacting your partner to discuss the options available.

Please note the service automatically negotiates with your hardware video endpoint to determine which TLS version to use so you do not need to change your device's TLS configuration. If you set your device to use a specific version of TLS it may stop working with the service.

Known impacts

If your hardware video endpoint is not listed below, you must check your device as shown in the diagram.

These endpoints are not capable of running TLS 1.2 and need to be replaced:

  • Cisco MXP
  • Cisco E20

These devices need to have their firmware updated:

  • Cisco devices with software older than TC7.3.11
  • Cisco devices with software older than CE9.1.3

  • Polycom HDX with software older than v3.1.7
  • Polycom Group series with software older than v5.0.0

For more information about Cisco products' compatibility with TLS 1.2, see Cisco's TLS 1.2 Compatibility Matrix for Cisco Collaboration Products.

Summary of different scenarios

Here's an outline of what to expect in different scenarios from 30th April 2022.

Pexip customers and guests from other organizations:

  • When using a device that supports TLS 1.2 and is configured to use encryption "when possible" or "always", the connection to the service will always use TLS 1.2.
  • If using an unregistered SIP device that's running TLS 1.0 or 1.1:
    • if configured to use encryption when possible, the device will connect to the service with encryption off,
    • if configured to use encryption always, the device will not be able to connect to the service.

Pexip customers only:

  • If using a device that's registered with the service but not capable of using TLS 1.2, it will stop working with the service.
  • If you want to activate and provision a device with the service, it needs to support TLS 1.2.

For more advice we recommend contacting your partner to discuss the options available.