+1-888-690-2424

Moving to TLS 1.2

Bruce Morton

SSL TLS 1.2 Pulse SSL/TLS LevelIn 2014, there will be a trend for website owners to implement TLS 1.2 on their servers. TLS 1.2 was defined in RFC 5246 in August 2008 and is the most secure version of SSL/TLS protocol.

Although TLS 1.2 has been available for a few years, it is not well deployed. SSL Pulse indicates that only 26 percent of the top 200,000 websites support TLS 1.2.

With attacks on cipher block chaining (CBC) and RC4, it is encouraged that websites also enable TLS 1.2. The benefit is that TLS 1.2 supports expansion of support for authenticated encryption ciphers with AES-GCM cipher suites that are not prone to these attacks.

How do you know if your browser supports TLS 1.2?

Go to How’s My SSL and it will tell you how good your browser is doing and which version of TLS it supports. If your browser does not support TLS 1.2, then this is probably a configuration setting you can turn on.

What about your website? Go to the CASC SSL Configuration Checker. This site will give you a grade for your website and will tell you which versions of SSL/TLS you support. If you do not support TLS 1.2, your site will not get an A grading. If you do support SSL 2.0, then your site will get an F grading. With users performing these checks, website owners will be encouraged to support the right levels of SSL/TLS protocol.

Microsoft is moving to TLS 1.2. They were the first to support TLS 1.2 with Internet Explorer 8. In version 11, they have set TLS 1.2 on by default. It will be encouraging if the other browsers take the same position.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

9 Comments

  1. Bruce November 23, 2015 Reply

    Under the old system, which most sites seem to be using at present, the use of an EV Certificate, for example, was apparent simply by looking at the address bar. Will this still be possible with those sites that are protected by TLS 1.2 and 1.3?

    • Bruce Morton Author
      Bruce Morton December 1, 2015 Reply

      Using TLS 1.2 does not impact the how the browser presents the certificate in the address bar. I assume this will be the same for TLS 1.3 when it is in use.

  2. Henry Dilsky December 1, 2015 Reply

    What certificate type should be used for TLS V.1.2? I mean SHA1or SHA2 or either one?

    • Bruce Morton Author
      Bruce Morton December 1, 2015 Reply

      Either SHA-1 or SHA-2 will support TLS 1.2. Please note that SHA-1 certificates can only be issued until 31 December 2015. We recommend using SHA-2 signed certificates.

  3. henry Dilsky December 1, 2015 Reply

    Can Entrust issue internal certificate with signature algorithm SHA2?

    • Bruce Morton Author
      Bruce Morton December 1, 2015 Reply

      Yes, Entrust issues all SSL/TLS certificates with SHA-2 as the default hash.

  4. rk January 7, 2016 Reply

    We are planning to migrate to TLS1.2 and as part of it, we would be removing TLS1.0 & TLS1.1 Cipher from our load balancer. Would like to know what would be the impact of it on application / services interaction with different type of connections and end clients.

Add to the Conversation