Article

Action Required: TLS Cipher Suite Update — September 15, 2026

Action Required: TLS Cipher Suite Update — September 15, 2026

July 6, 2026

On September 15, 2026, Smartsheet will remove support for a set of weaker TLS 1.2 cipher suites across api.smartsheet.com and app.smartsheet.com as part of an ongoing security hardening initiative. Most 
integrations will be unaffected. Integrations relying on older TLS stacks should test ahead of this date.

What's changing

Both endpoints will be restricted to two TLS 1.2 cipher suites using AEAD encryption:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

All other currently supported TLS 1.2 cipher suites will be removed (full list below).

Who is affected

Integrations whose HTTP client or TLS library negotiates only CBC-mode or static RSA cipher suites will stop connecting after September 15. This is most likely to affect:

  • Custom integrations on legacy enterprise runtimes that don't auto-negotiate modern ciphers
  • Integrations routed through older network appliances or proxies that terminate TLS
  • Environments on operating systems or runtimes no longer in mainstream support (consistent with Smartsheet system requirements, which already require current browser versions — the same principle applies to API clients)

Modern runtimes — current JDK, .NET, Node.js, Python, Go, and Ruby — negotiate the retained cipher suites by default. Integrations on a current Smartsheet SDK and supported OS require no action.

Recommended actions before September 15

  1. Test against staging. The new cipher configuration is already live on api.test.smartsheet.com. Validate your integration there before the production cutover.
  2. Verify your TLS client. If using a custom HTTP client or proxy, confirm support for ECDHE_RSA_WITH_AES_*_GCM_* suites.
  3. Upgrade unsupported environments. Where a runtime cannot negotiate the retained suites, upgrading to a currently supported version is the recommended path.

Technical appendix

Cipher suites being removed:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 — CBC mode
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA — CBC mode
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 — CBC mode
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA — CBC mode
  • TLS_RSA_WITH_AES_128_GCM_SHA256 — Static RSA key exchange
  • TLS_RSA_WITH_AES_128_CBC_SHA256 — Static RSA + CBC
  • TLS_RSA_WITH_AES_128_CBC_SHA — Static RSA + CBC
  • TLS_RSA_WITH_AES_256_GCM_SHA384 — Static RSA key exchange
  • TLS_RSA_WITH_AES_256_CBC_SHA256 — Static RSA + CBC
  • TLS_RSA_WITH_AES_256_CBC_SHA — Static RSA + CBC

Cipher suites being retained:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Why this change

The retiring cipher suites use CBC (Cipher Block Chaining) mode, which is susceptible to padding oracle attacks, and are prohibited under NIST SP 800-52 Rev 2. Removing them eliminates a meaningful class of man-in-the-middle attack risk against Smartsheet traffic and keeps Smartsheet aligned with current security standards.