Article
Action Required: TLS Cipher Suite Update — September 15, 2026
July 6, 2026
On September 15, 2026, Smartsheet will remove support for a set of weaker TLS 1.2 cipher suites across api.smartsheet.com and app.smartsheet.com as part of an ongoing security hardening initiative. Most
integrations will be unaffected. Integrations relying on older TLS stacks should test ahead of this date.
What's changing
Both endpoints will be restricted to two TLS 1.2 cipher suites using AEAD encryption:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
All other currently supported TLS 1.2 cipher suites will be removed (full list below).
Who is affected
Integrations whose HTTP client or TLS library negotiates only CBC-mode or static RSA cipher suites will stop connecting after September 15. This is most likely to affect:
- Custom integrations on legacy enterprise runtimes that don't auto-negotiate modern ciphers
- Integrations routed through older network appliances or proxies that terminate TLS
- Environments on operating systems or runtimes no longer in mainstream support (consistent with Smartsheet system requirements, which already require current browser versions — the same principle applies to API clients)
Modern runtimes — current JDK, .NET, Node.js, Python, Go, and Ruby — negotiate the retained cipher suites by default. Integrations on a current Smartsheet SDK and supported OS require no action.
Recommended actions before September 15
- Test against staging. The new cipher configuration is already live on
api.test.smartsheet.com. Validate your integration there before the production cutover. - Verify your TLS client. If using a custom HTTP client or proxy, confirm support for
ECDHE_RSA_WITH_AES_*_GCM_*suites. - Upgrade unsupported environments. Where a runtime cannot negotiate the retained suites, upgrading to a currently supported version is the recommended path.
Technical appendix
Cipher suites being removed:
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256— CBC modeTLS_ECDHE_RSA_WITH_AES_128_CBC_SHA— CBC modeTLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384— CBC modeTLS_ECDHE_RSA_WITH_AES_256_CBC_SHA— CBC modeTLS_RSA_WITH_AES_128_GCM_SHA256— Static RSA key exchangeTLS_RSA_WITH_AES_128_CBC_SHA256— Static RSA + CBCTLS_RSA_WITH_AES_128_CBC_SHA— Static RSA + CBCTLS_RSA_WITH_AES_256_GCM_SHA384— Static RSA key exchangeTLS_RSA_WITH_AES_256_CBC_SHA256— Static RSA + CBCTLS_RSA_WITH_AES_256_CBC_SHA— Static RSA + CBC
Cipher suites being retained:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Why this change
The retiring cipher suites use CBC (Cipher Block Chaining) mode, which is susceptible to padding oracle attacks, and are prohibited under NIST SP 800-52 Rev 2. Removing them eliminates a meaningful class of man-in-the-middle attack risk against Smartsheet traffic and keeps Smartsheet aligned with current security standards.