TLS Version Upgrade Steps
My Account

TLS Version Upgrade Steps

Methods to verify your TLS version

  1. From the terminal (command line), use OpenSSL to verify your TLS version:
    openssl s_client -connect {{your-api-endpoint}}:443
    In the output, locate the “Protocol” line.
    It should say something like: Protocol: TLSv1.2
  2. Use an online tool (for example, SSL Labs (https://www.ssllabs.com/ssltest/)) to verify TLS versions supported by browser-based API calls
  3. Programming language-specific methods can be used to verify TLS versions used in API calls.

Update to TLS 1.2 or above

TLS versions 1.0 and 1.1 will be deprecated on April 15th, 2025 . Users need to update their implementations to support TLS 1.2 or higher.

Update to TLS 1.2 or higher:

  1. Update your client libraries and frameworks to versions that support TLS 1.2.
  2. Modify your code to explicitly use TLS 1.2 or higher.
  3. (Windows servers only) Windows servers will require a registry update to support TLS 1.2.
    Set this registry key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault) value to 0
  4. Update your operating system and web browsers to the latest versions that support TLS 1.2 by default.

Please note: Below are the allowed list of ciphers that need to be used. Anything other than these ciphers would be blocked when moving to a new certificate.

TLS-AES-128-GCM-SHA256:
TLS-AES-256-GCM-SHA384:
TLS-CHACHA20-POLY1305-SHA256:
ECDHE-ECDSA-AES128-GCM-SHA256:
ECDHE-ECDSA-AES256-GCM-SHA384:
ECDHE-RSA-AES128-GCM-SHA256:
ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSA-CHACHA20-POLY1305:
ECDHE-RSA-CHACHA20-POLY1305

Rollback steps (Optional)

If you encounter issues, you can use the steps below to rollback the TLS 1.2 update:

  1. (Windows servers only) Revert the registry key update
    Set this registry key
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client\DisabledByDefault value back to 1.
  2. Restore old client libraries:
    You can revert your client libraries to older versions that support the older TLS protocols (1.0 or 1.1).
    Note: It is not recommended to use outdated client libraries long-term.
  3. Revert browser and operating system updates:
    If the browser or operating system updates caused issues, you can rollback to previous versions that support the older TLS protocols (1.0 or 1.1).
    Note: Using older browsers, operating systems, and TLS protocols may introduce security vulnerabilities.
  4. Verify the rollback changes:
    Use the verification methods to confirm that your system supports the older TLS versions.
  5. Monitor for issues:
    Ensure that the rollback did not cause new issues. You could use tools like cURL or Postman to test your environment.

Troubleshooting

If you encounter issues after upgrading:

  1. Use verification methods to confirm your clients’ TLS configurations.
  2. Review your application logs for any SSL/TLS errors.
  3. Ensure all intermediate systems (proxies, firewalls, and other network layers) support TLS 1.2 or above.
  4. Test with an API testing tool (for example, cURL or Postman) with TLS 1.2 (or above) explicitly set.