Action Required: Upgrade to TLS 1.2 or later

hi everyone,

I have received a notification from Auth0 system stated that I need to stop using old TLS 1 and 1.1 protocol. They stated the reason I am receiving this is that internal traffic analysis showed there are tenants still using it.

How can we check and how can I disable it to force only TLS1.2?

I don’t have the custom domain within tenants.

Many thanks.

1 Like

Hey there!

Discussing it right now with the team responsible for the deprecation. Will get back to you as soon as I have any news to share!

hey sir any lucks? :question:

Hey everyone!

Sorry for all the inconvenience that this upgrade might have caused. We prepared an FAQ document regarding that that may be useful for all of you. Here it is:

https://community.auth0.com/t/upgrade-to-tls-1-2-what-actions-to-take/56547/2

2 Likes

I’m in the same boat as the original poster. Appreciate the extra info in the FAQ, but one big question that I’m having trouble finding an answer for: how can we test to confirm any changes we make actually work?

Is there a way to disable older TLS versions ahead of time?

Is there some way to see in the logs what version was used?

Thanks

1 Like

i 2nd the question above - how do we validate the change was successful?

Hey Konrad,
unfortunately, the FAQ document seems to be very poor with information. I don’t feel myself safely with Auth0 approach to upcoming changes on March 22.

Sure! Let me circle back with the team and get you some update!

1 Like

I would like to quote the full email

What is changing?

The Auth0 network edge and all Auth0 endpoints to only accept traffic secured with TLS 1.2 or later starting March 22, 2021 . As of that date, any traffic secured with TLS 1.0 or 1.1 will be rejected.

Why are we making this change?

TLS 1.0 and 1.1 are legacy, insecure protocols. Continuing to support these protocols leaves our service vulnerable to TLS downgrade attacks, in which an attacker forces the connection to occur over a weaker TLS version that can be broken. Along with the rest of the industry, Auth0 is retiring support for these legacy protocols to better protect our customers and their traffic.

How are you affected?

An internal traffic analysis indicates that your tenants are still using either TLS 1.0 or 1.1. The deprecation of these legacy protocols will therefore impact your tenants since any clients still attempting to connect with TLS 1.0 or 1.1 after March 22, 2021 will fail during TLS handshake. These errors will be visible to the client, and will manifest as client-side connection-failures.

What action do you need to take?

Upgrade your Auth0 clients to use TLS 1.2 or later, using modern, secure ciphers. For maximum security, we also recommend explicitly disabling TLS 1.0 and 1.1 where possible. The exact details and steps required will vary, depending on your application and client. Tools such as https://www.ssllabs.com/ssltest/ may help identify vulnerable domains and protocols.

The required action is “Upgrade your Auth0 clients to use TLS 1.2 or later”.

In order to do this, we really need some tools from Auth0 to allow us to determine which clients to update. If it is referring to the clients of our users, we will need to contact our users, and expecting them to update their clients may not be something they can complete by March 22.

2 Likes

I’m still waiting for the answer from the team. Will let you know as soon as I have any update!

Yeah. Thats right. We would need to know which client is getting affected so that we can check with application owner to update the TLS version. Please let us know is there a way we can get these details ASAP.

1 Like

Hey there!

Sorry for delay! I’m still waiting for the final news from the appropriate team!

What is changing?

The Auth0 network edge and all Auth0 endpoints to only accept traffic secured with TLS 1.2 or later starting March 22, 2021 . As of that date, any traffic secured with TLS 1.0 or 1.1 will be rejected.

Why are we making this change?

TLS 1.0 and 1.1 are legacy, insecure protocols. Continuing to support these protocols leaves our service vulnerable to TLS downgrade attacks, in which an attacker forces the connection to occur over a weaker TLS version that can be broken. Along with the rest of the industry, Auth0 is retiring support for these legacy protocols to better protect our customers and their traffic.

How are you affected?

An internal traffic analysis indicates that your tenants are still using either TLS 1.0 or 1.1. The deprecation of these legacy protocols will therefore impact your tenants since any clients still attempting to connect with TLS 1.0 or 1.1 after March 22, 2021 will fail during TLS handshake. These errors will be visible to the client, and will manifest as client-side connection-failures.

What action do you need to take?

Upgrade your Auth0 clients to use TLS 1.2 or later, using modern, secure ciphers. For maximum security, we also recommend explicitly disabling TLS 1.0 and 1.1 where possible. The exact details and steps required will vary, depending on your application and client. Tools such as https://www.ssllabs.com/ssltest/ may help identify vulnerable domains and protocols

My question:
How can we identify which application or client or audience is using the lower TLS version from Auth0 tenant.

There should some ways for us to know so we can work on those client for the fix.

Like in the logs, depreciation notice can be displayed along with client or audience and IP address of the request coming in from the web server or API or any application.
Or some tools to identify the TLS version.

We are having multiple clients and shared applications which uses Auth0 and directly calls the Auth0 endpoints. So it’s very difficult to identify which application uses what TLS and confusing us.

So please share how can we proceed on this fix.

1 Like

Hey there @sveeramani!

Merging your topic with this one as here we gather all the information regarding this change.

1 Like

Blocking the requests with TLS1.1 or lower for all tenants is not going to work for us. Is there any chance that first we start with DEV tenant blocking the requests with lower TLS version and then UAT tenants. So that we can identify the issues and fix them. Finally we can proceed to PROD tenant.
Also we are not sure about the request that which client/application is using which TLS version. Is there any way to find those.
Its very difficult to have all our client application to upgrade the TLS version. Dont know how its going to be. We would at least need 6 months time.

1 Like

I’ll let you know as soon as I have any updates on this

1 Like

Hey there everyone!

Small update here! You should receive a new email with all the necessary information in the next few days. Sorry once more for the inconvenience!

3 Likes

Hi Konrad,
Any idea when we will get the updates. Specific date please.

There is no specific date yet as engineering is finishing some details. But my guess it will be within next 10 business days.

1 Like

Looks like you Auth0 guys are not going to give us enough time to get prepared.