TLS 1.0 and 1.1 deprecation

This article is contributed. See the original author and article here.

In the dazzling array of services among the Microsoft cloud offerings, the rollout of TLS 1.0/1.1 deprecations is not being done all at once. This has lead to some confusion and questions around which endpoints are dropping the older TLS support and when.

Here I want to provide some dates and times of the endpoints, along with some .NET code guidance on how to use the newer TLS protocol (1.2), with some more information on TLS across the Microsoft Cloud.

So to begin, here are some of the endpoints that we know of.

Service	end date	Release
Office 365 (Exchange/SharePoint/etc)
Office 365 Dod/GCC	1/1/2020
Office 365 consumer	10/15/2020
Graph
Graph Government	8/5/2020
Graph Consumer	10/15/2020
Azure
Azure Guest OS images	1/1/2019	Family 6 release
Azure Application Proxy	1/31/2019
Azure intra-service traffic	1/1/2020
Azure SQL DB managed instance (pre SQL 2016)	1/1/2020
Azure Cosmos DB	7/29/2020
Azure File Sync	8/1/2020
Azure AD registration service in all sovereign clouds (GCC High, DoD etc.)	8/31/2020
Azure Automation	9/1/2020
Azure AD registration service in all commercial clouds	10/30/2020
Azure App Services (Web apps/functions/etc.) no announced timeline, can be set by admin still.	??

If you are not sure about a particular endpoint, you can use this powershell to test the endpoint to see which versions of TLS it supports-

<#
Created by: whall
Date Created: 3/25/2020

Product Area Tags: Connectivity

Technology Tags: SSL TLS

Use Case: 
Shows which version(s) of TLS is supported for a URL

Description: 
When you run this, it checks each TLS type connection to see if it is supported.


Parameters:
-url this is the URL of the site you are testing against

Keywords: sockets secure https

Code Example Disclaimer:
Sample Code is provided for the purpose of illustration only and is not intended to be used in a production environment. THIS SAMPLE CODE AND ANY RELATED INFORMATION ARE PROVIDED 'AS IS'
-This is intended as a sample of how code might be written for a similar purpose and you will need to make changes to fit to your requirements. 
-This code has not been tested.  This code is also not to be considered best practices or prescriptive guidance.  
-No debugging or error handling has been implemented.
-It is highly recommended that you FULLY understand what this code is doing  and use this code at your own risk.

#>

#TLS check
param([Parameter(Mandatory=$true)][string]$url)

function TLSAvailable([string]$url){


    Write-Host =======================
    Write-Host $url
    Write-Host =======================
    
    [System.Net.ServicePointManager]::SecurityProtocol = "Tls"

    try{
    $resp1 = Invoke-WebRequest -uri $url -Method GET -DisableKeepAlive
    if($resp1.StatusCode -eq 200){
        Write-Host "TLS/SSL 1.0 supported" -ForegroundColor green
    }
    }catch {
        Write-Host "TLS/SSL 1.0 not supported" -ForegroundColor Red
        #$_.Exception
    }

    [System.Net.ServicePointManager]::SecurityProtocol = "Tls11"
    try{
    $resp2 = Invoke-WebRequest -uri $url -Method GET -DisableKeepAlive
    if($resp2.StatusCode -eq 200){
        Write-Host "TLS/SSL 1.1 supported" -ForegroundColor green
    }
    }catch {
            Write-Host "TLS/SSL 1.1 not supported" -ForegroundColor Red
            #$_.Exception
    }

    [System.Net.ServicePointManager]::SecurityProtocol = "Tls12"

    try{
    $resp3 = Invoke-WebRequest -uri $url -Method GET -DisableKeepAlive
    if($resp3.StatusCode -eq 200){
        Write-Host "TLS/SSL 1.2 supported" -ForegroundColor green
    }
    }catch{
            Write-Host "TLS/SSL 1.2 not supported" -ForegroundColor Red
            #$_.Exception
    }
    Write-Host =======================

}

TLSAvailable -url $url

Azure Web Application Services

If you are running a .NET web application in the Azure web application services, you can set the TLS level under the application settings as below-

.NET Framework Code

If you are compiling your code for .NET framework 4.7 (4.7.1 for WCF apps) or later, it will use the default TLS version for the OS.

If you complied to a previous .NET framework version, it will use older versions of TLS unless you apply the right patch, and use one of the following methods-

Set a registry setting to force all .NET code to use strong cryptography
Set a config setting for the app context overrides to use the strong cryptography
Add a line of code to change the TLS version used for HTTPS calls

Method 1 (System wide registry change)-

This enables something called strong cryptography which makes .NET use the strongest cryptography available currently. This affects all .NET applications with one registry change (per CLR version).

Enable strong cryptography for .NET CLR 4 versions (64 bit)-

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv4.0.30319]

“SchUseStrongCrypto”=dword:00000001

[HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoft.NETFrameworkv4.0.30319]

“SchUseStrongCrypto”=dword:00000001

Enable strong cryptography for .NET CLR 2 versions (64 bit)-

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv2.0.50727]

“SchUseStrongCrypto”=dword:00000001

[HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoft.NETFrameworkv2.0.50727]

“SchUseStrongCrypto”=dword:00000001

Method 2 (Config file change)-

Add the following to your .NET config file

</runtime>

Method 3 (Hardcoded in the application)-

Use this line of C# code in your application during the initialization so that all web calls will use the newer TLS 1.2 protocol-

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

If you are using PowerShell you can use the same object with this-

[System.Net.ServicePointManager]::SecurityProtocol = "Tls12"

Browser Support (Edge/Chrome/Edge legacy/IE/Firefox/Safari)

The following clients are known to be unable to use TLS 1.2. Update these clients to ensure uninterrupted access to the service.

Android 4.3 and earlier versions
Firefox version 5.0 and earlier versions
Internet Explorer 8-10 on Windows 7 and earlier versions
Internet Explorer 10 on Windows Phone 8
Safari 6.0.4/OS X10.8.4 and earlier versions

Edge chromium disabled 1.0 and 1.1 around July 2020 (ver 84).

For all supported versions of Internet Explorer 11 and Microsoft Edge Legacy (EdgeHTML-based), TLS 1.0 and TLS 1.1 will be disabled by default as of September 8, 2020.

TLS 1.3

The next version of TLS is already implemented in some browsers, and is just around that corner, but as of yet should not be causing issues since TLS 1.2 is just getting to the lowest mandatory version.

More information

For more information on the patches for various products and more details to some of the .NET settings related to TLS please see the following articles.

Azure

https://azure.microsoft.com/en-us/updates/azuretls12/

https://azure.microsoft.com/en-us/updates/?query=TLS

Windows/.NET/SQL/SharePoint (on-Prem)

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

TLS 1.0 and 1.1 deprecation

Azure Web Application Services

.NET Framework Code

Method 1 (System wide registry change)-

Method 2 (Config file change)-

Method 3 (Hardcoded in the application)-

Browser Support (Edge/Chrome/Edge legacy/IE/Firefox/Safari)

TLS 1.3

More information

Azure

Windows/.NET/SQL/SharePoint (on-Prem)

SQL-

SharePoint (this covers .NET/windows/SQL/browsers as well)-

.NET 4.5-

.NET 3.5 update for TLS 1.1/1.2 support-

.NET programming guidance-

Submit a Comment Cancel reply

Recent Posts

Recent Comments

Archives

Categories

Meta

We look forward to meeting you