TLS 1.2 support at Microsoft
This post is authored by Andrew Marshall, Principal Security Program Manager, Trustworthy Computing Security.
In support of our commitment to use best-in-class encryption, Microsoft’s engineering teams are continually upgrading our cryptographic infrastructure. A current area of focus for us is support for TLS 1.2, this involves not only removing the technical hurdles to deprecating older security protocols, but also minimizing the customer impact of these changes. To share our recent experiences in engaging with this work we are today announcing the publication of the “Solving the TLS 1.0 Problem” whitepaper to aid customers in removing dependencies on TLS 1.0/1.1. Microsoft is also working on new functionality to help you assess the impact to your own customers when making these changes.
What can I do today?
Microsoft recommends customers proactively address weak TLS usage by removing TLS 1.0/1.1 dependencies in their environments and disabling TLS 1.0/1.1 at the operating system level where possible. Given the length of time TLS 1.0/1.1 has been supported by the software industry, it is highly recommended that any TLS 1.0/1.1 deprecation plan include the following:
- Application code analysis to find/fix hardcoded instances of TLS 1.0/1.1.
- Network endpoint scanning and traffic analysis to identify operating systems using TLS 1.0/1.1 or older protocols.
- Full regression testing through your entire application stack with TLS 1.0/1.1 and all older security protocols disabled.
- Migration of legacy operating systems and development libraries/frameworks to versions capable of negotiating TLS 1.2.
- Compatibility testing across operating systems used by your business to identify any TLS 1.2 support issues.
- Coordination with your own business partners and customers to notify them of your move to deprecate TLS 1.0/1.1.
- Understanding which clients may be broken by disabling TLS 1.0/1.1.
Coming soon
To help customers deploy the latest security protocols, we are announcing today that Microsoft will provide support for TLS 1.2 in Windows Server 2008 later this summer.
In conclusion
Learn more about removing dependencies on TLS 1.0/1.1 with this helpful resource:
“Solving the TLS 1.0 Problem” whitepaper.
Stay tuned for upcoming feature announcements in support of this work.