Transport Layer Security (TLS) 1.0 and 1.1 to be deprecated on all Symantec VIP URLs
search cancel

Transport Layer Security (TLS) 1.0 and 1.1 to be deprecated on all Symantec VIP URLs


Article ID: 245528


Updated On:


VIP Service


VIP  service will disable TLS 1.0 and 1.1 protocols on all VIP endpoints and APIs. After this change, only TLS 1.2 and TLS 1.3 protocols will be supported on VIP API URLs, including Enterprise Gateway and VIP Web Service API endpoints. TLS 1.2 will be supported on VIP Web portals.


Transport Layer Security (TLS) v1.0, 1.1, and 1.2 are security protocols for establishing encryption channels over computer networks. The VIP API URL endpoints currently support all 3 of these protocols. Due to evolving regulatory requirements, and as part of Broadcom's continuous effort to maximize the security of our platforms, TLS v1.0 and v1.1 will be disabled on all VIP URLs. TLS v1.2 will remain the only supported TLS version on the VIP Web Portals, and TLS v1.2 and 1.3 will be supported on the VIP API endpoints.  

TLS 1.2 and 1.3 will be the supported protocols on the following VIP API endpoints:


TLS 1.2 will be the supported protocol on the following VIP Web URLs:

  • (VIP Manager)
  • (VIP Self-Service Portal)
  • (My VIP)
  • (VIP token information)

What do I need to do?

  • VIP Enterprise Gateway - Version 9.8.4 and later supports TLS 1.2. Version 9.8.3 or older does not support TLS 1.2 and must be upgraded. Symantec recommends upgrading to version 9.9.2 or later.
  • VIP Service APIs - If your application consumes a VIP URL, confirm that each component involved in connecting to the VIP API endpoints is upgraded and configured to use TLSv1.2 and strong cipher suites. TLS 1.2 must be supported by the operating system, operating system’s SSL libraries, application server security components, network proxy, firewall, SOAP\REST agents, and platform (Java and Java libraries, .NET framework, OpenSSL, PHP, Python, etc). Always consult your software package documentation and IT support staff or vendor before making any changes. VIP API WSDL files do not need to be upgraded for this change.  
  • VIP Integrations - Upgrade any VIP integration or plugin to the latest available version in VIP Manager. This includes the VIP integration for AD FS, IIS, Oracle, and Epic.

What Cipher Suites will be supported?

In preferred order:
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)

How can I be notified of the VIP changes?
Receive notifications by subscribing to the Symantec VIP status page. Click Subscribe at the top of the page, select the delivery method, then select all sub-components under VIP. De-select other components if you don't want notifications from those products. (See: Signing up for VIP Service alerts

Have additional questions?
If you have further questions or need technical support:

Contact your Broadcom Account Team.
Open a Symantec Technical Support Case:
Post questions to the VIP community discussion room.

Additional Information


To avoid a service interruption, perform connection tests from any VIP server within your environment prior to the change and take immediate action if TLS 1.0 or TLS 1.1 is used when connecting to VIP Services.


Use Wireshark (or another packet capturing tool) to determine what protocol is used when your application connects to VIP Services:

  • Determine the VIP URL in the application and the IP address it resolves to. In this example, the VIP plugin for AD FS is calling 

  • Launch Wireshark. While capturing traffic, perform a successful VIP Authentication, then filter the results by the IP address.

    Sample of supported TLS 1.2 before and after October 2022 TLS update:

  • Sample of unsupported TLS 1.1 after October 2022 TLS update. Action required:


  • Using your existing VIP Service client, send test traffic to one of the following VIP end-points:

-- For, send traffic to
-- For, send traffic to

  • Open a VIP support case and provide the transaction request ID (if available) and the public IP address used to send the request to the VIP Cloud.
  • VIP support will provide the following within 48 hours:
    • The endpoint the request was sent to 
    • The public IP address the request was received from at the VIP front end.
    • The protocol and cipher suite client used by your client. 
  • Revert all traffic back to the original URL. 

Additional testing of push/OTP:

You can check your push or OTP requests status from VIP Manager > Reports > VIP End User Transaction Report if it's failing or getting success.