+1-888-690-2424

Moving to TLS 1.2

Bruce Morton

SSL TLS 1.2 Pulse SSL/TLS LevelIn 2014, there will be a trend for website owners to implement TLS 1.2 on their servers. TLS 1.2 was defined in RFC 5246 in August 2008 and is the most secure version of SSL/TLS protocol.

Although TLS 1.2 has been available for a few years, it is not well deployed. SSL Pulse indicates that only 26 percent of the top 200,000 websites support TLS 1.2.

With attacks on cipher block chaining (CBC) and RC4, it is encouraged that websites also enable TLS 1.2. The benefit is that TLS 1.2 supports expansion of support for authenticated encryption ciphers with AES-GCM cipher suites that are not prone to these attacks.

How do you know if your browser supports TLS 1.2?

Go to How’s My SSL and it will tell you how good your browser is doing and which version of TLS it supports. If your browser does not support TLS 1.2, then this is probably a configuration setting you can turn on.

What about your website? Go to the CASC SSL Configuration Checker. This site will give you a grade for your website and will tell you which versions of SSL/TLS you support. If you do not support TLS 1.2, your site will not get an A grading. If you do support SSL 2.0, then your site will get an F grading. With users performing these checks, website owners will be encouraged to support the right levels of SSL/TLS protocol.

Microsoft is moving to TLS 1.2. They were the first to support TLS 1.2 with Internet Explorer 8. In version 11, they have set TLS 1.2 on by default. It will be encouraging if the other browsers take the same position.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

15 Comments

  1. Bruce November 23, 2015 Reply

    Under the old system, which most sites seem to be using at present, the use of an EV Certificate, for example, was apparent simply by looking at the address bar. Will this still be possible with those sites that are protected by TLS 1.2 and 1.3?

    • Bruce Morton Author
      Bruce Morton December 1, 2015 Reply

      Using TLS 1.2 does not impact the how the browser presents the certificate in the address bar. I assume this will be the same for TLS 1.3 when it is in use.

  2. Henry Dilsky December 1, 2015 Reply

    What certificate type should be used for TLS V.1.2? I mean SHA1or SHA2 or either one?

    • Bruce Morton Author
      Bruce Morton December 1, 2015 Reply

      Either SHA-1 or SHA-2 will support TLS 1.2. Please note that SHA-1 certificates can only be issued until 31 December 2015. We recommend using SHA-2 signed certificates.

  3. henry Dilsky December 1, 2015 Reply

    Can Entrust issue internal certificate with signature algorithm SHA2?

    • Bruce Morton Author
      Bruce Morton December 1, 2015 Reply

      Yes, Entrust issues all SSL/TLS certificates with SHA-2 as the default hash.

  4. rk January 7, 2016 Reply

    We are planning to migrate to TLS1.2 and as part of it, we would be removing TLS1.0 & TLS1.1 Cipher from our load balancer. Would like to know what would be the impact of it on application / services interaction with different type of connections and end clients.

  5. madhu April 6, 2016 Reply

    is there any additional load placed on devices when moved from SSL to TLS 1.2?
    If there is any how to make it negliagable?

    • Bruce Morton Author
      Bruce Morton April 6, 2016 Reply

      I expect that increased load on the device should be minimal. It would be best to check device load with the device vendor.

  6. madhu April 14, 2016 Reply

    Hi Bruce
    is there any additional load placed on devices when moved from SSL to TLS 1.2?
    If there is any how to make it negliagable?
    With reference to this question can you give a brief explanation,how load be will be minimal

  7. Narasimha September 15, 2016 Reply

    Bruce,

    We are supposed use WebSErvice from one of our Vendors , and they are saying to do the
    below step.

    “Confirm your systems are compatible with SSL Security Certificates using SHA2 level encryption and TLS 1.2.”

    I dont really understand what they mean and how to do it.

    • Bruce Morton Author
      Bruce Morton September 15, 2016 Reply

      It might be easiest to perform an SSL Server Test, https://entrust.ssllabs.com/. Enter your domain name, click submit and a report will be generated for your site. Reviewing the report will provide the signature algorithm which will advise if you are using SHA2; SHA256withRSA meets the SHA2 requirement. If you look further down the report, you will find the protocol section, where TLS 1.2 should say Yes. Please note that SSL 2 and SSL 3 should say No.

  8. Narasimha September 26, 2016 Reply

    Thanks for response , Bruce actually we are supposed to use their WebServices.
    Our domain doesnt have a SSL. we are just the consumers/users of the WebServices exposed by our client ChangeHealthCare.com.
    Since we are the cosumers is their a need for us to have the SSL in our domain ?
    If no then i do I make my system compatible to use their webservice , they are saying to use their webServices our system should

    “Confirm your systems are compatible with SSL Security Certificates using SHA2 level encryption and TLS 1.2.”

    How do make sure my system is compatible ?

Add to the Conversation