I have received a notification from Auth0 system stated that I need to stop using old TLS 1 and 1.1 protocol. They stated the reason I am receiving this is that internal traffic analysis showed there are tenants still using it.
How can we check and how can I disable it to force only TLS1.2?
Sorry for all the inconvenience that this upgrade might have caused. We prepared an FAQ document regarding that that may be useful for all of you. Here it is:
I’m in the same boat as the original poster. Appreciate the extra info in the FAQ, but one big question that I’m having trouble finding an answer for: how can we test to confirm any changes we make actually work?
Is there a way to disable older TLS versions ahead of time?
Is there some way to see in the logs what version was used?
Hey Konrad,
unfortunately, the FAQ document seems to be very poor with information. I don’t feel myself safely with Auth0 approach to upcoming changes on March 22.
The Auth0 network edge and all Auth0 endpoints to only accept traffic secured with TLS 1.2 or later starting March 22, 2021 . As of that date, any traffic secured with TLS 1.0 or 1.1 will be rejected.
Why are we making this change?
TLS 1.0 and 1.1 are legacy, insecure protocols. Continuing to support these protocols leaves our service vulnerable to TLS downgrade attacks, in which an attacker forces the connection to occur over a weaker TLS version that can be broken. Along with the rest of the industry, Auth0 is retiring support for these legacy protocols to better protect our customers and their traffic.
How are you affected?
An internal traffic analysis indicates that your tenants are still using either TLS 1.0 or 1.1. The deprecation of these legacy protocols will therefore impact your tenants since any clients still attempting to connect with TLS 1.0 or 1.1 after March 22, 2021 will fail during TLS handshake. These errors will be visible to the client, and will manifest as client-side connection-failures.
What action do you need to take?
Upgrade your Auth0 clients to use TLS 1.2 or later, using modern, secure ciphers. For maximum security, we also recommend explicitly disabling TLS 1.0 and 1.1 where possible. The exact details and steps required will vary, depending on your application and client. Tools such as https://www.ssllabs.com/ssltest/ may help identify vulnerable domains and protocols.
The required action is “Upgrade your Auth0 clients to use TLS 1.2 or later”.
In order to do this, we really need some tools from Auth0 to allow us to determine which clients to update. If it is referring to the clients of our users, we will need to contact our users, and expecting them to update their clients may not be something they can complete by March 22.
Yeah. Thats right. We would need to know which client is getting affected so that we can check with application owner to update the TLS version. Please let us know is there a way we can get these details ASAP.
The Auth0 network edge and all Auth0 endpoints to only accept traffic secured with TLS 1.2 or later starting March 22, 2021 . As of that date, any traffic secured with TLS 1.0 or 1.1 will be rejected.
Why are we making this change?
TLS 1.0 and 1.1 are legacy, insecure protocols. Continuing to support these protocols leaves our service vulnerable to TLS downgrade attacks, in which an attacker forces the connection to occur over a weaker TLS version that can be broken. Along with the rest of the industry, Auth0 is retiring support for these legacy protocols to better protect our customers and their traffic.
How are you affected?
An internal traffic analysis indicates that your tenants are still using either TLS 1.0 or 1.1. The deprecation of these legacy protocols will therefore impact your tenants since any clients still attempting to connect with TLS 1.0 or 1.1 after March 22, 2021 will fail during TLS handshake. These errors will be visible to the client, and will manifest as client-side connection-failures.
What action do you need to take?
Upgrade your Auth0 clients to use TLS 1.2 or later, using modern, secure ciphers. For maximum security, we also recommend explicitly disabling TLS 1.0 and 1.1 where possible. The exact details and steps required will vary, depending on your application and client. Tools such as https://www.ssllabs.com/ssltest/ may help identify vulnerable domains and protocols
My question:
How can we identify which application or client or audience is using the lower TLS version from Auth0 tenant.
There should some ways for us to know so we can work on those client for the fix.
Like in the logs, depreciation notice can be displayed along with client or audience and IP address of the request coming in from the web server or API or any application.
Or some tools to identify the TLS version.
We are having multiple clients and shared applications which uses Auth0 and directly calls the Auth0 endpoints. So it’s very difficult to identify which application uses what TLS and confusing us.
Blocking the requests with TLS1.1 or lower for all tenants is not going to work for us. Is there any chance that first we start with DEV tenant blocking the requests with lower TLS version and then UAT tenants. So that we can identify the issues and fix them. Finally we can proceed to PROD tenant.
Also we are not sure about the request that which client/application is using which TLS version. Is there any way to find those.
Its very difficult to have all our client application to upgrade the TLS version. Dont know how its going to be. We would at least need 6 months time.