On September 29, 2023, Zoom plans to end support for certain cipher suites for Session Initiation Protocol (SIP) connections using Transport Layer Security (TLS) to the Zoom Conference Room Connector (CRC). This change will help enhance the security of your data transmissions and help protect the confidentiality, integrity, and authenticity of your communications. 

This article covers:

• Changes to SIP TLS ciphers
  • Deprecated SIP TLS ciphers
  • Supported SIP TLS ciphers
• What CRC connection types are impacted?
• How can I check whether my SIP/H.323 devices will be impacted?
• How can I perform a confirmation test with my SIP/H.323 device?
  • If the call fails to connect
  • If the calls connect successfully
• What to do if my SIP/H.323 device is impacted?

Changes to SIP TLS ciphers

The SIP TLS cipher change will be deployed on September 29, 2023.

Deprecated SIP TLS ciphers

The following ciphers will no longer be supported or accepted for SIP TLS connections to Zoom CRC:

• DHE-RSA-AES256-GCM-SHA384
• DHE-RSA-CHACHA20-POLY1305
• DHE-RSA-AES128-GCM-SHA256

Supported SIP TLS ciphers

After the change, the following ciphers will be supported and accepted for SIP TLS connections to Zoom CRC:

• TLS_AES_256_GCM_SHA384
• TLS_AES_128_GCM_SHA256
• TLS_CHACHA20_POLY1305_SHA256
• ECDHE-ECDSA-AES256-GCM-SHA384
• ECDHE-ECDSA-AES128-GCM-SHA256
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-ECDSA-CHACHA20-POLY1305
• ECDHE-RSA-CHACHA20-POLY1305

What CRC connection types are impacted?

This change only applies to connections utilizing SIP TLS, while connections utilizing SIP UDP, SIP TCP, and H.323 are unaffected. However, Zoom recommends using SIP TLS for increased security of your connections to Zoom's Conference Room Connector service. 

How can I check whether my SIP/H.323 devices will be impacted? 

Zoom understands that this change may have an impact on your systems or integrations that use Zoom CRC services. Zoom performed testing with a variety of common SIP/H.323 conference room equipment to ensure the SIP TLS cipher support changes will not affect their ability to connect to Zoom meetings through Zoom CRC using SIP TLS. Zoom performed the tests with SIP/H.323 conference room equipment using the most recently released device vendor firmware. Zoom tested each device by making direct calls to Zoom CRC with SIP TLS as the configured call protocol. The following device/firmware combinations successfully connected to Zoom CRC using SIP TLS with supported SIP TLS ciphers:

• Cisco EX-series, C-series, and MX-series "generation 1" devices using firmware TC7.3.21
• Cisco DX-series, SX-series, and MX-series "generation 2" devices using firmware CE9.15.17.4
• Cisco Room-series, Desk-series, and Board-series devices using firmware RoomOS 10.19.5.6 (on-premises) or 10.20.1.6 (cloud-registered)
• Cisco Room-series, Desk-series, and Board-series devices using firmware RoomOS 11.1.4.1 and greater (on-premises) or 11.4.1.8 and greater (cloud-registered)
• Polycom HDX devices using firmware 3.1.7 and greater
• Polycom RealPresence Group-series devices using firmware 6.1.7.2 and greater
• Polycom Trio devices (including Visual Plus and Visual Pro configurations) using firmware 7.2.6-0019

Zoom encourages you to review your SIP/H.323 conference room devices to ensure they meet these requirements. Zoom recommends updating your devices, if necessary, to ensure they are supported with Zoom CRC.

If your device, application, or platform is not listed above, and uses SIP, specifically SIP over TLS, to connect to Zoom CRC, consult your vendor’s documentation or contact your vendor’s support services to determine the ciphers your device, application, or platform supports when connecting as a client, using SIP TLS.

How can I perform a confirmation test with my SIP/H.323 device?

From a SIP/H.323 device that is configured to use SIP TLS to connect to Zoom CRC, dial the SIP URI "0@dvgo.zmus.us" to connect to a Zoom CRC test service. The Zoom CRC services at dvgo.zmus.us will only accept the new supported SIP TLS ciphers.

If the call fails to connect

A failure to connect may be due to the change of supported SIP TLS ciphers. Review your SIP/H.323 device's logs to confirm why the call failed (e.g. couldn't create TLS connection, indicating a SIP TLS cipher support issue). If the device is not dialing directly to Zoom CRC, e.g. it is registered to on-premises or 3rd party cloud infrastructure, it is also possible the failure is not on the SIP/H.323 device itself, but is somewhere along the call path. Review your infrastructure logs to confirm why the call failed.

If the calls connect successfully

If your SIP/H.323 device connects to the Zoom CRC video IVR and is prompted to enter a meeting ID, the device was likely able to negotiate a SIP TLS connection using the supported SIP TLS ciphers. In this case, you don't need to actually join a meeting. This is due to the fact that the device connected to the video IVR and received audio/video, which is sufficient to test SIP TLS cipher support.

However, Zoom recommends that you look at the SIP/H.323 device's logs to ensure it actually connected over SIP TLS, and did not fall back to SIP over TCP, SIP over UDP, or H.323 connection methods. If the device is not dialing directly to Zoom CRC, e.g. it is registered to on-premises or 3rd party cloud infrastructure, it is also possible a fall-back occurred somewhere along the call path. In this case, review your infrastructure logs to confirm the call is connected using SIP TLS.

What to do if my SIP/H.323 device is impacted?

While you may optionally configure your device, application, or platform to use SIP UDP, SIP TCP, or H.323 to connect to the Conference Room Connector, however, Zoom recommends using SIP TLS. If SIP TLS connectivity is not possible due to a lack of support from your device, application, or platform vendor, you can leverage hardware that supports Zoom Rooms.