Hello everyone. I am currently working on a complex migration. We are trying to connect a very old, legacy PBX gateway (Avaya) to our Genesys Cloud organization using a BYOC Cloud trunk. For HIPAA compliance, we must encrypt the signaling using TLS. However, when the legacy gateway tries to establish the TLS handshake, it fails immediately with a “Handshake Failure” alert. I suspect the old gateway does not support the modern cipher suites that Genesys Cloud requires. Can anyone confirm the exact TLS 1.2 cipher suites that are strictly required by Genesys Cloud for BYOC inbound SIP traffic?
You are correct; Genesys Cloud is very strict about encryption for compliance reasons. They only support a small subset of highly secure TLS 1.2 cipher suites, typically focusing on ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) for forward secrecy. Older Avaya gateways often default to older, less secure RSA-based ciphers which Genesys will immediately reject. You will likely need to upgrade the firmware on that legacy gateway to enable the modern ECDHE ciphers.
I deal with audio encryption frequently. To be precise, Genesys Cloud BYOC trunks generally require TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 or TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. If your legacy PBX only supports CBC mode ciphers (like AES_256_CBC), the handshake will fail. You can verify the exact cipher mismatch by running a packet capture (PCAP) on your local network and looking at the “Client Hello” message sent by the Avaya system to see which ciphers it is offering.
If upgrading the firmware on the Avaya system is impossible due to its age, your only other option is to place an SBC (Session Border Controller) in the middle. The SBC can accept the older, less secure TLS connection from the Avaya on the internal network, and then establish a new, fully compliant TLS 1.2 connection to Genesys Cloud on the external side. It acts as a secure proxy and solves the cipher mismatch without touching the legacy hardware!