Azure IoT Hub
An Azure service that enables bidirectional communication between internet of things (IoT) devices and applications.
Azure IotHub TLS 1.2 Supported cipher suites
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 13%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
Georg Sieber
45
Reputation points
Tonight we encountered an issue with our IotHub where ~1500 devices could not connect anymore. Our IotHub is currently operating under a temporary exception for legacy TLS 1.0 version.
Only then we noticed that this subset of our devices support TLS1.2 but do not support a required cipher suite (the devices offer TLS_RSA_WITH_AES_256_CBC_SHA). Since their firmware cannot be updated, the devices need to be replaced in the field.
My question is: How long can we run under that temporary exception to allow legacy cipher suites? We cannot afford to lose the device connections until we replaced them in the field which takes at least a few months.
Azure IoT Hub
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
SRILAKSHMI C 17,875 Reputation points Microsoft External Staff Moderator2026-04-22T13:49:25.9+00:00 Hello Georg Sieber,
Thank you for the detailed information,
From your description, the impacted devices:
- Support TLS 1.2, but only with the cipher suite
TLS_RSA_WITH_AES_256_CBC_SHA - This cipher suite is not supported by Azure IoT Hub, which requires modern, forward-secure (ECDHE-based) cipher suites
- As a result, these devices are unable to connect under current security enforcement
Important Timeline – TLS Deprecation
The temporary exception allowing legacy TLS versions and weaker cipher suites is time-bound.
Key date to note: August 31, 2025
On this date:
- TLS 1.0 and TLS 1.1 will be fully retired
- All non-recommended (weak) cipher suites will be disabled
- Only strong TLS 1.2 cipher suites (ECDHE-based) will be supported
Impact on Your Devices
After August 31, 2025:
Devices using:
TLS_RSA_WITH_AES_256_CBC_SHAwill be rejected by IoT Hub
Connections from these devices will no longer be accepted under any exception
This means the current temporary exception is only a short-term mitigation and cannot be relied upon beyond this deadline.
Recommended Approach
Given that firmware updates are not possible, your current plan is appropriate:
1. Complete Device Replacement Before Deadline
Replace all affected devices with ones supporting:
- TLS 1.2
- ECDHE-based cipher suites (e.g.,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
2. Phased Migration Strategy
- Prioritize critical or high-volume devices first
- Track remaining legacy devices using IoT Hub connection metrics
3. Minimize Risk During Transition
- Continue using the temporary exception only as needed
- Be aware there is no guarantee of extension beyond the stated deadline
The current TLS exception is temporary and expires on August 31, 2025
Legacy cipher suites like
TLS_RSA_WITH_AES_256_CBC_SHAwill not be supported after this dateDevice replacement is required to maintain connectivity
Please refer this
Azure IoT Hub TLS support and cipher lists https://learn.microsoft.com/azure/iot-hub/iot-hub-tls-support?wt.mc_id=knowledgesearch_inproduct_azure-cxp-community-insider#cipher-suites
Announcement of TLS 1.0/1.1 retirement & strong-cipher enforcement on August 31, 2025 https://azure.microsoft.com/updates?id=update-retirement-tls1-0-tls1-1-versions-azure-services
General TLS 1.2 enforcement timeline in Azure IoT Hub https://learn.microsoft.com/azure/iot-hub/iot-hub-tls-support#tls-12-enforcement-available-in-select-regions
I hope you find these elements useful. Please feel free to let me know if you have any further questions.
Thank you!
- Support TLS 1.2, but only with the cipher suite
-
Georg Sieber 45 Reputation points
2026-04-23T07:57:16.7766667+00:00 Thanks for the AI generated info, but that does not answer my question:
My question is: How long can we run under that temporary exception to allow legacy cipher suites?
-
Georg Sieber 45 Reputation points
2026-04-24T10:27:13.5933333+00:00 Is there actually nobody from Microsoft looking into this support ticket question?
Please have a look.Thank you!
-
Manas Mohanty 16,670 Reputation points Microsoft External Staff Moderator2026-04-26T08:43:38.25+00:00 Hi Georg Sieber
Good day.
Max would be Aug 31, 2025, logically as my colleague pointed out.
Migration advisory
TLS 1.0 and 1.1 would be fully retired on Aug 31, 2025. Customer are requested to have their device firmware updated or replaced with TLS 1.2 or higher policy.
(These are MS Azure's initiatives to increase security for all customers using IOT hub)
Any exception provided are not expected post tentative date
Recommendation
Please work with supplier to have possible device update to support TLS 1.2 or later If immediate device replacement is not possible at your side.
Follow up
Need to check in IOT Hub team internally here for max extension date provided on whitelisting of TLS 1.0 usage.
Please share the support ticket used prior and resource id of IOT hub used in this context through private message.
Thank you for following up.
Sign in to comment
Sign in to answer