VIP  service will disable TLS 1.0 and 1.1 protocols on all VIP endpoints and APIs. After this change, only TLS 1.2 and TLS 1.3 protocols will be supported on VIP API URLs, including Enterprise Gateway and VIP Web Service API endpoints. TLS 1.2 will be supported on VIP Web portals.

Transport Layer Security (TLS) v1.0, 1.1, and 1.2 are security protocols for establishing encryption channels over computer networks. The VIP API URL endpoints currently support all 3 of these protocols. Due to evolving regulatory requirements, and as part of Broadcom's continuous effort to maximize the security of our platforms, TLS v1.0 and v1.1 will be disabled on all VIP URLs. TLS v1.2 will remain the only supported TLS version on the VIP Web Portals, and TLS v1.2 and 1.3 will be supported on the VIP API endpoints.  

TLS 1.2 and 1.3 will be the supported protocols on the following VIP API endpoints:

• services-auth.vip.symantec.com
• services.vip.symantec.com
• userservices-auth.vip.symantec.com
• userservices.vip.symantec.com
• goidservices-auth.vip.symantec.com
• liveupdate.symantecliveupdate.com
• liveupdate.symantec.com
• api-auth.vip.symantec.com 
• reporting-auth.vip.symantec.com
• login.vip.symantec.com
• messaging.vip.symantec.com
• services-auth.vip.symantec.com/prov/soap

TLS 1.2 will be the supported protocol on the following VIP Web URLs:

• manager.vip.symantec.com (VIP Manager)
• ssp.vip.symantec.com (VIP Self-Service Portal)
• my.vip.symantec.com (My VIP)
• vip.symantec.com (VIP token information)

What do I need to do?

• VIP Enterprise Gateway - Version 9.8.4 and later supports TLS 1.2. Version 9.8.3 or older does not support TLS 1.2 and must be upgraded. Symantec recommends upgrading to version 9.9.2 or later.
• VIP Service APIs - If your application consumes a VIP URL, confirm that each component involved in connecting to the VIP API endpoints is upgraded and configured to use TLSv1.2 and strong cipher suites. TLS 1.2 must be supported by the operating system, operating system’s SSL libraries, application server security components, network proxy, firewall, SOAP\REST agents, and platform (Java and Java libraries, .NET framework, OpenSSL, PHP, Python, etc). Always consult your software package documentation and IT support staff or vendor before making any changes. VIP API WSDL files do not need to be upgraded for this change.  
• VIP Integrations - Upgrade any VIP integration or plugin to the latest available version in VIP Manager. This includes the VIP integration for AD FS, IIS, Oracle, and Epic.
  
  

What Cipher Suites will be supported?

In preferred order:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)

How can I be notified of the VIP changes?
Receive notifications by subscribing to the Symantec VIP status page. Click Subscribe at the top of the page, select the delivery method, then select all sub-components under VIP. De-select other components if you don't want notifications from those products. (See: Signing up for VIP Service alerts) 

Have additional questions?
If you have further questions or need technical support:

Contact your Broadcom Account Team.
Open a Symantec Technical Support Case: https://support.broadcom.com/security
Post questions to the VIP community discussion room.