[Action May Be Required] Upcoming Rollouts EU DDI Endpoints changes (Effective 5 January 2026)
After January 5, 2026, we plan to switch the EU DDI endpoints (https://device.eu1.bosch-iot-rollouts.com and https://device-cert.eu1.bosch-iot-rollouts.com) from a Java-based proxy to an AWS Application Load Balancer (ALB).
This change aims to improve scalability, availability, security, and legal compliance (including geo-blocking) for EU customers. The ALB configuration will enforce the ELBSecurityPolicy-TLS13-1-2-2021-06 SSL policy, supporting TLS 1.2 and TLS 1.3 protocols with a specific set of strong cipher suites listed in the details below. TLS/OCSP stapling will no longer be supported.
Please verify that your devices connecting to these EU DDI endpoints support the new TLS protocols and cipher suites. Devices with non-compliant TLS configurations need to be updated.
If you are unable to support the new configuration, please get in touch with Bosch IoT Rollouts support for assistance or to request a postponement of the planned maintenance.
Change Details
The ALB will support the following cipher suites:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-RSA-AES128-SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-AES256-SHA384
- ECDHE-RSA-AES256-SHA384
For full details on supported protocols and cipher suites, see the AWS Documentation.
For comparison, currently, DDI endpoints support TLS 1.2 and TLS 1.3 with the following cipher suites (Java algorithm naming):
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS/OCSP stapling will be removed with this change since the ALB doesn't support it.