Announcement: Azure Bot Service Enforcing Transport Layer Security (TLS) 1.2

On December 4th, 2018, the Azure Bot Service will require all connections to be secured using Transport Layer Security (TLS) 1.2.

This enforcement is critical to providing the best possible security for your data. Microsoft, the Payment Card Industry (PCI), and the entire Internet community, are moving away from TLS 1.0 and TLS 1.1, which have been shown to be vulnerable to determined attackers.

This change will be enforced for all connections to Azure Bot Service servers, either from a chat client or from a bot.  It will not yet be enforced for connections from the Azure Bot Service to bots.

More information

The vast majority of connections to the Azure Bot Service already use TLS 1.2. The few that do not are from old clients or old operating systems. In most cases, an upgrade to a newer browser or a patch to the operating system is all that’s required to enable TLS 1.2.

We will still allow bots to accept the older protocols but we will be deprecating that in the future, so it is recommended that bot developers configure their servers to accept TLS 1.2 or higher. If your bot is hosted on Azure Web Apps or Functions the change is easy. If your bot is hosted on an older version of Windows, such as Windows Server 2008 or Windows 7 (Windows Server 2008 R2), you will need to install a patch and enable the updated protocols. TLS 1.2 is not supported on Windows Vista and earlier.

The following clients are known to be unable to use TLS 1.2. Update your clients and encourage your customers to do the same to ensure uninterrupted access to the service.

  • Android 4.3 and earlier versions
  • Firefox version 5.0 and earlier versions
  • Internet Explorer 8-10 on Windows 7 and earlier versions
  • Internet Explorer 10 on Win Phone 8.0
  • Safari 6.0.4/OS X10.8.4 and earlier versions

Thank you for taking this important step with us.

 

References

·         Solving the TLS 1.0 Problem

·         TLS 1.2 Support at Microsoft

·         App Service and Functions hosted apps can now update TLS versions!

·         TLS 1.2 Support added to Windows Server 2008

·         Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows

·         Update to add support for TLS 1.1 and TLS 1.2 in Windows Server 2008 SP2, Windows Embedded POSReady 2009, and Windows Embedded Standard 2009