What is changing?
The Auth0 network edge and all Auth0 endpoints to only accept traffic secured with TLS 1.2 or later starting March 22, 2021 . As of that date, any traffic secured with TLS 1.0 or 1.1 will be rejected.
Why are we making this change?
TLS 1.0 and 1.1 are legacy, insecure protocols. Continuing to support these protocols leaves our service vulnerable to TLS downgrade attacks, in which an attacker forces the connection to occur over a weaker TLS version that can be broken. Along with the rest of the industry, Auth0 is retiring support for these legacy protocols to better protect our customers and their traffic.
How are you affected?
An internal traffic analysis indicates that your tenants are still using either TLS 1.0 or 1.1. The deprecation of these legacy protocols will therefore impact your tenants since any clients still attempting to connect with TLS 1.0 or 1.1 after March 22, 2021 will fail during TLS handshake. These errors will be visible to the client, and will manifest as client-side connection-failures.
What action do you need to take?
Upgrade your Auth0 clients to use TLS 1.2 or later, using modern, secure ciphers. For maximum security, we also recommend explicitly disabling TLS 1.0 and 1.1 where possible. The exact details and steps required will vary, depending on your application and client. Tools such as https://www.ssllabs.com/ssltest/ may help identify vulnerable domains and protocols
How can we identify which application or client or audience is using the lower TLS version from Auth0 tenant.
There should some ways for us to know so we can work on those client for the fix.
Like in the logs, depreciation notice can be displayed along with client or audience and IP address of the request coming in from the web server or API or any application.
Or some tools to identify the TLS version.
We are having multiple clients and shared applications which uses Auth0 and directly calls the Auth0 endpoints. So it’s very difficult to identify which application uses what TLS and confusing us.
So please share how can we proceed on this fix.