Security - TLS 1.0 & 1.1 End of Life/support for several products

I would like to share news that TLS 1.0 and 1.1 will no longer be supported after 31 Th March 2020.

Reading whole article you will see that it would not be a sort of "Big Bang" but in any case I hope that these information would be useful for someone  (*)


CISCO UMBRELLA


All endpoints with Cisco umbrella will require TLS 1.2 after that date (*)


https://support.umbrella.com/hc/en-us/articles/360033350851-End-of-Life-for-TLS-1-0-1-1-


CISCO ANYCONNECT


"Cisco Umbrella will continue to support Cisco Any Connect and Cisco Umbrella Roaming Client versions that require TLS 1./0/1.1 until September 30th 2020. All other uses of TLS 1.0 and 1.1 will be discontinued as planned on March 31st. "


https://support.umbrella.com/hc/en-us/articles/360033350851-End-of-Life-for-TLS-1-0-1-1-


TLS 1.0 & 1/1 - Deprecated


Protocols are deprecated



BROWSER MICROSOFT, APPLE, GOOGLE & MOZILLA


Microsoft, Apple, and Mozilla have all announced that their browsers will no longer support TLS 1.0 and 1.1 as of March 2020. 


TLS 1.2 #HOW TO VERIFY


You can use this website to verify your browser health:


https://www.ssllabs.com/ssltest/viewMyClient.html


Otherwise if you want to verify website using FQDN you can use same website but at below link/section:

https://www.ssllabs.com/ssltest/


.NET (Note: Any Connect requires .NET)


Native TLS 1.2 requires .NET framework 4.6.2+. Prior versions require registry edits (4.x) or Registry edits and manual hot fix patches (3.5).

More information can be found here:

https://support.umbrella.com/hc/en-us/articles/115005871543-Requirements-for-forcing-TLS-1-2-on-the-Connector-and-Roaming-Client.

This applies to Umbrella software running on .NET framework - currently AD Connector and Roaming client.


.NET #Check your version


Follow this article

https://docs.microsoft.com/en-us/dotnet/framework/migration-guide/how-to-determine-which-versions-are-installed


DISABLE #TLS 1.0 and TLS v1.1 DISABLE at #O.S level


It can be disabled at the O.S. level (IIS)https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat


TLS 1.2 #HOW TO ENABLE on earlier versions .NET 3.5.1


The .NET framework version 3.5.1 and earlier versions did not provide support for applications to use Transport Layer Security (TLS) System Default Versions as a cryptographic protocol. This update enables the use of TLS v1.2 in the .NET Framework 3.5.1.


Check these register tips


[whole article here]


TLS 1.2 #HOW TO ENABLE on NEWER versions .NET 4.6.2+


Apply these register tips


[whole article here]


UMBRELLA #OLD clients #FORCE TLS 1.2


If you are unable to update Umbrella/Any Connect client to use TLS 1.2 you need to follow these article steps.


https://support.umbrella.com/hc/en-us/articles/115005871543-Requirements-for-forcing-TLS-1-2-on-the-Connector-and-Roaming-Client


MOZILLA FIREFOX 74chante


With 74.0 release TLS 1.0 is disabled, but you can re-enable it about:config --> Tls and change below values




https://www.trishtech.com/2020/03/how-to-enable-tls-1-0-and-tls-1-1-in-mozilla-firefox-74/



Pay attention to below advice:



GOOGLE CHROME 81


Google chrome version 81 will remove TLS 1.0 and TLS 1.1 support:


https://developers.google.com/web/updates/2020/02/chrome-81-deps-rems



APPLE/SAFARI


Will remove support for TLS 1.0 and 1.1 from Safari in March 2020 via updates to Mac OS and iOS.


INTERNET EXPLORER/EDGE


There are rumors that support will be removed in early 2020


SECURITY AWARENESS/WEAKNESS


These old protocols are not patch-able (NIST) versus actual vulnerabilities such as poodlebeeast and others.

- Checking client-side vulnerability:

   https://www.poodletest.com/


- Checking server-side vulnerability:


   http://www.poodlebleed.com


(*) I strongly believe on this assumptions but at the same time I am aware that I am too naive.



George Bernard Shaw

"If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas."


[Update 2020.03.27]

Here it is Microsoft article that explain if and how to disable TLS 1.0 and 1.1 on windows 2012 R2 for exemplificative purpose:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn786418(v=ws.11)



[update 2020/04/06]

Due to Covid-19 there are more delays than expected, here it is an interesting article that give you more explanations.

https://nakedsecurity.sophos.com/2020/04/02/covid-19-forces-browser-makers-to-continue-supporting-tls-1-0/