[German]Microsoft is planning to end support for TLS 1.0/1.1 in its products (Windows, Office 365 etc.) and switch to TLS 1.2/1.3. But it seems that this will cause some trouble at the moment. Here’s a short summary of what I noticed the last days.
Some background about TLS
Transport Layer Security (TLS) is a cryptographic protocols designed to provide communications security over a computer network. Historically, different TLS versions from 1.0, 1.1 to 1.2 and recently TLS 1.3 have been defined and are in use. Since encryption in TLS 1.0 and 1.1 is no longer considered secure, the IT industry is gradually trying to switch to TLS 1.2 and/or TLS 1.3 for secure Internet connections. In June 2018 there was this article from The Register that the IETF had started to make suggestions that TLS 1.0/1.1 (also as a fallback solution) should be deprecated. Browser manufacturers announced to end support for TLS 1.0/1.1 in 2020. Microsoft is also committed to replacing TLS 1.0/1.1, but has noticeable difficulties.
Note: However, the topic is quite broken in some places. Recently this ZDNet article pointed out that numerous Content Management Systems (CMS) or their plugins deactivate the validation of TLS certificates. But this is another construction site.
End of support for TLS 1.0/1.1 in Office 365 revised
I mentioned it briefly in June 2018 in the blog post PSA: EOL for TLS 1.0/1.1 support in Intune and Office 365: Within this Technet blog post, Microsoft announced that Intune would only support TLS 1.2 after October 31, 2018. Microsoft Office 365 will then also only be able to communicate with TLS 1.2 via https encryption (see also). For administrators in corporate environments, this means that a number of devices and software products can no longer be used from the deadline 31.10.2018 due to a lack of TLS 1.2 support (I mentioned the devices in the blog post).
Microsoft is now clarified what ‘end of support’ means. At the end of October 2018 I found the article Microsoft Revises October Deadline on Using TLS 1.0 and 1.1 in Office 365 in Redmond Magazine. They mentioned a change within Microsoft’s article Preparing to use TLS 1.2 in Office 365.
As of October 31, 2018, Office 365 will no longer support TLS 1.0 and 1.1. This means that Microsoft will not fix new issues that are found in clients, devices, or services that connect to Office 365 by using TLS 1.0 and 1.1.
Note This doesn’t mean Office 365 will block TLS 1.0 and 1.1 connections. There is no official date for disabling or removing TLS 1.0 and 1.1 in the TLS service for customer connections. The eventual deprecation date will be determined by customer telemetry and is not yet known. After a decision is made, there will be an announcement six months in advance unless we become aware of a known compromise, in which case we may have to act in less than six months to protect customers who use the services.
Update KB4462923 forced TLS 1.0?
On October 9, 2018, Microsoft released the Monthly Rollup Update KB4462923 for Windows 7 SP1 and Windows Server 2008 R2 Service Pack 1. I mentioned the update in my blog post Patchday: Updates for Windows 7/8.1/Server (10/09/2018). However, there were some installation issues (see Windows 7 SP1: Update KB4462923 re-released? and Windows: Update issues and –re-releases October 2018). The update has been withdrawn and later re-released again. I lost track what Microsoft did with this update. A German blog reader posted a comment, indicating that an update install error 0x80242006 may has something to do with TLS dependencies in .NET-Framework. But I have not details.
Report: The October Win7 Monthly rollup, KB 4462923, forces TLS 1.0 as the default protocol type, even when TLS 1.0 is disabled. Can you confirm? https://t.co/Zg5ZVWNaFv
— Woody Leonhard (@woodyleonhard) 9. November 2018
Now Woody Leonhard reported at askwoody, that update KB4462923 for Windows 7 SP1 force TLS 1.0 again. A reader of Woody’s site posted the following comment:
I’m not sure what others are experiencing but, at my place of employment, KB4462923 appears to have changed the system default crypto security protocol type to TLS 1.0 even when TLS 1.0 is disabled both client-side and server-side in the system registry. Since we have TLS 1.0 disabled on all of our production servers (Windows Server 2008 R2 SP1), KB4462923 was responsible for a plethora of application failures from basic database mail delivery failures to application connectivity failures with Microsoft Azure cloud solutions; most definitely a showstopping bug for our business.
Within the thread at askwoody.com some users pointing out issues with Outlook 2010, but it’s not clear, whether it has something to do with TLS.
In addition, from my experience, @PowerShell_Team demands TLS v1.0 for several Modules including PowershellGet & PowershellManagement.
I have had TLS v1.0 & v1.1 turned off with Powershell being the only App that breaks.
— Crysta T. Lacey (@PhantomofMobile) 10. November 2018
User @PhantomofMobile has pointed out in thetweet above that the PowerShell team requires TLS 1.0 for various PS modules, including PowershellGet and PowershellManagement. Somehow it all smells like problems to me. Question: Have you noticed anything similar or are there other problems?
Windows 10 V1803: Update KB4458166 fixes TLS 1.2 issue
TLS 1.2: Windows Error Reporting Service drops an error
Windows 10 V1803 rollout stopped due to TLS 1.2 issues
PSA: EOL for TLS 1.0/1.1 support in Intune and Office 365
Windows 7 SP1: Update KB4462923 re-released?
Windows: Update issues and –re-releases October 2018
Patchday: Updates for Windows 7/8.1/Server (10/09/2018)