As of October 31, 2018, Microsoft Office 365 will no longer support TLS 1.0 and 1.1

(Pierre Grand) #1

MS ends the support of TLS prior to 1.2 in october.

Is TLS 1.2 supported on Discourse?

(Rafael dos Santos Silva) #2


(Jeff Atwood) #3

@sam @mpalmer should we even be supporting TLS v1? That seems positively ancient … as of 2014 all major browsers supported TLS v1.2?

(Matt Palmer) #4

I’m happy to nuke older browser support if you want. It’d reduce the cipher list, too, because most of the entries in there are to support older browsers. The main reason I didn’t go “full strict” last time I reviewed those settings is because while you can gracefully degrade UI on older browsers, to (at the very least) tell people “your browser is from the 90s, man!”, you can’t gracefully degrade TLS connections – if a protocol negotiation doesn’t happen successfully, it’s ugly (browser-provided) error page time, no exceptions, no chance for the site to give any useful information.

(Jeff Atwood) #5

It looks like we are safe to disable TLS V1 at least because we don’t support IE10, and IE11 supports TLS V1.1

(Sam Saffron) #6

Oh but Matt’s point of you don’t even get an error page or anything except for “broken cert” kind of stands.

I think that given:

TLS 1, when properly configured has no known security vulnerabilities. Newer protocols are better designed and better address the potential for new vulnerabilities.

I think we should just leave it for now. I strongly agree we should remove any ciphers that are compromised.

(Jeff Atwood) #7

It is pointless though any browser so old that it only supports TLS v1 will not load Discourse’s advanced JS anyways.

(Sam Saffron) #8

Sure, but I wonder, does this mean we want to remove?

(Jeff Atwood) #9

Maybe, looking at the old dates there and market share of ancient stuff…

(Felix Freiberger) #10

Just as a reference of what others are doing, GitHub (which admittedly has an audience that is rather likely to keep browsers up to date) is disabling TLS 1.0 and 1.1 now:

IAM and bucket policy for S3 access
(Jeff Atwood) #11

We should remove tls v1 @mpalmer — that seems quite safe to me.

(Matt Palmer) #12

OK. I’ll add it to my list.

(Matt Palmer) #13

Righto, I think I’ve excised all the old protocol support everywhere. Next container rebuild everyone’s going to lose TLS 1.0/1.1, and all our hosted infrastructure should already be updated.

(Jeff Atwood) #14

Cool, stripe just did the same

(Matt Palmer) #15

Stripe has to do it, as TLS 1.0 is no longer PCI compliant as of 30 June 2018.