TLS 1.0 and 1.1 End of Life for Developers

Overview

Firefox Mozilla, Google Chrome, Microsoft Edge and Internet Explorer 11, and Apple Safari browsers are ending support for TLS 1.0 and 1.1 in March 2020. 

PLEASE NOTE: On Mar. 23, CalNet ended support for TLS 1.0 and 1.1 protocols.

Email calnet-admin@berkeley.edu if you have questions.

What this means for developers

Developers may need to update their applications or libraries to support TLS 1.2. CalNet Services work best when accessed from these recommended browsers.

While CalNet does not support applications, we have provided some guidelines here:

ColdFusion Developers

Please see the section for Java developers as this is relevant to ColdFusion running on a JVM.

Java Developers

If your application connects to CalNet Single Sign-on (auth.berkeley.edu), Shibboleth (shib.berkeley.edu), CalGroups (calgroups.berkeley.edu), or LDAP (ldap.berkeley.edu) via a server-to-server connection, and your application runs in a JVM on a version of Java prior to 1.8, you need to change your application to support TLS 1.2 for communicating to these services.

If your application runs on Java 1.7 or Java 1.6 (update 111 or later), you can set the https.protocols system property when starting the JVM to enable additional protocols for connections made using the HttpsURLConnection class – for example, by setting -Dhttps.protocols=TLSv1.2

If your application runs on Java 1.6 prior to update 111, or earlier, TLS 1.1 and 1.2 are not supported. Therefore, you need to update the version of Java your application runs on.

If you use another library for connections such as Apache HttpClient, you should consult the documentation to enable TLS 1.2.

mod_auth_cas Integrations 

If your application connects to CalNet Single Sign-on (auth.berkeley.edu) via a server-to-server connection, and your application uses Apache with mod_auth_cas, you need to ensure you are using the most recent version of mod_auth_cas and are using OpenSSL 1.0.1g or higher.

The latest mod_auth_cas is found here: https://github.com/apereo/mod_auth_cas

To check your OpenSSL version run the following command:

openssl version


If the version listed is less than 1.0.1g then upgrade using your operating system’s package manager.  If the version listed indicates LibreSSL then no action is necessary.

.Net Developers

If your application connects to CalNet Single Sign-on (auth.berkeley.edu), Shibboleth (shib.berkeley.edu), CalGroups (calgroups.berkeley.edu), or LDAP (ldap.berkeley.edu) via a server-to-server connection then, depending on your version of .Net and Windows, you may need to change your application to support TLS 1.2 for communicating to these services

.Net Framework 4.6 and later

These versions support TLS 1.2 by default in most cases; however please review this guide to ensure you are not using an older (or unpatched) Windows operating system that may change this behavior and to ensure you are following Microsoft’s guidelines: 

.Net Framework 3.5 - 4.5.2

It is recommended that you upgrade and re-target your application to .Net framework 4.7.  If you cannot, please follow the instructions provided by Microsoft:

Python Developers

If your application connects to CalNet Single Sign-on (auth.berkeley.edu), Shibboleth (shib.berkeley.edu), CalGroups (calgroups.berkeley.edu), or LDAP (ldap.berkeley.edu) via a server-to-server connection, and your application is written in a version of Python prior to 2.7 or 3.6, or is using OpenSSL libraries older than 1.0.1g, you need to change your application to support TLS 1.2 for communicating to these services.

To check your Python interpreter’s TLS version please install requests and run a command:

Python 2:

python2 -m pip install --upgrade requests
python2 -c "import requests; print(requests.get('https://www.howsmyssl.com/a/check', verify=False).json()['tls_version'])"


Python 3:

python3 -m pip install --upgrade requests
python3 -c "import requests; print(requests.get('https://www.howsmyssl.com/a/check', verify=False).json()['tls_version'])"

To check your OpenSSL version run the following command:

openssl version


If the version listed is less than 1.0.1g then upgrade using your operating system’s package manager.  If the version listed indicates LibreSSL then no action is necessary.

For comprehensive information please see: http://pyfound.blogspot.com/2017/01/time-to-upgrade-your-python-tls-v12.html

Ruby Developers

If your application connects to CalNet Single Sign-on (auth.berkeley.edu), Shibboleth (shib.berkeley.edu), CalGroups (calgroups.berkeley.edu), or LDAP (ldap.berkeley.edu) via a server-to-server connection, and your application is written in an outdated version of Ruby (prior to 2.4) or is using OpenSSL libraries older than 1.0.1g, you may need to change your application to support TLS 1.2 for communicating to these services.

To check your OpenSSL version run the following command:

openssl version


If the version listed is less than 1.0.1g then upgrade using your operating system’s package manager.  If the version listed indicates LibreSSL then no action is necessary.

You may also need to make sure your code is not explicitly requesting an older version of TLS.  For example, this code will use the unsupported version of TLS regardless of the OpenSSL version:

context = OpenSSL::SSL::SSLContext.new
context.ssl_version = :TLSv1_1

For more information see: https://docs.ruby-lang.org/en/2.7.0/OpenSSL.html#module-OpenSSL-label-SSL+and+TLS+Connections