Vercel deprecates DHE cipher suite for TLS; legacy encryption support ending June 30

Upcoming Change

On June 30th, 2026, Vercel will discontinue support for the DHE-RSA-AES256-GCM-SHA384 cipher suite for TLS connections to its CDN and hosting infrastructure.

Impact

After this date, TLS 1.2 clients will only be able to connect using one of these supported cipher suites:

ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-RSA-CHACHA20-POLY1305

Modern clients and all TLS 1.3 connections are unaffected by this change. The DHE cipher is primarily used by legacy systems, security scanners, and clients with non-standard TLS configurations.

Action Required

If you operate integrations or automated systems that connect to Vercel-hosted domains over TLS 1.2:

Verify your TLS client supports at least one of the six remaining cipher suites
Update any non-standard TLS configurations if necessary

Most modern TLS libraries (OpenSSL, Java, Go, Node.js, etc.) support these ECDHE-based ciphers by default, so no action is needed for standard deployments.

Upcoming Change

Impact

Action Required

Products

Tags

Published

Source

Related News