Microsoft has lifted a “pause” on plans to enforce migration to TLS 1.2 and above for Office 365. Businesses now have until October 15, 2020 to ready their (or customers’) IT estates for the shift — or face unexpected failure to receive emails and more.
Redmond’s plans to enforce deprecation of TLS 1.0 and TLS 1.1 were first announced in late 2017 and were due to be enforced from June 2020. The move was then delayed for commercial customers due to the outbreak of the pandemic.
Customers may need to conduct code analysis to find/fix hardcoded instances of TLS 1.0 (or instances of older TLS/SSL versions) and/or network endpoint scanning and traffic analysis to identify operating systems using TLS 1.0 or older protocols.
“As supply chains have adjusted and certain countries open back up, we are resetting the TLS enforcement to start Oct 15, 2020”, Microsoft said in an email to customers, noting that the move “may require updates to certain combinations of client servers and browser servers” to prevent connection issues to its services.
TLS is a security protocol designed to facilitate privacy and data security for communications over the Internet. Microsoft is keen to avoid the potential for “future protocol downgrade attacks and other TLS vulnerabilities” and is discontinuing support for 1.0 and 1.1 in Microsoft Office 365 and Office 365 GCC as a result.
A quick way to determine what TLS version will be requested by various clients when connecting to online services is by referring to the Handshake Simulation at Qualys SSL Labs, which covers client OS/browser combinations across manufacturers.
“If not already complete, it is highly recommended to conduct an inventory of operating systems used by your enterprise, customers and partners (the latter two via outreach/communication or at least HTTP User-Agent string collection)”, notes Redmond in a whitepaper on working around the deprecation.
“This inventory can be further supplemented by traffic analysis at your enterprise network edge. In such a situation, traffic analysis will yield the TLS versions successfully negotiated by customers/partners connecting to your services, but the traffic itself will remain encrypted.”
Clients known to be unable to support TLS 1.2 include
Android 4.3 and earlier versions
Firefox version 5.0 and earlier versions
Internet Explorer 8-10 on Windows 7 and earlier versions
Internet Explorer 10 on Windows Phone 8
Safari 6.0.4/OS X10.8.4 and earlier versions
Businesses are urged to ensure upgrades to any of the above to ensure they are ready for the shift, or they will encounter connection issues. Full regression testing through your entire application stack with TLS 1.0 disabled would also be wise.
The end of the reprieve on migration is the latest sign that vendors see things returning to normal. Businesses that have welcomed new flexibility on licensing and more from their providers may also want to start reviewing next steps.