Azure Bot Service enforcing transport layer security (TLS) 1.2
Published date: 14 November, 2018
On 4th December 2018, the Azure Bot Service will require all connections to be secured using transport layer security (TLS) 1.2.
This enforcement is critical to providing the best possible security for your data. Microsoft, the Payment Card Industry (PCI) and the entire Internet community, are moving away from TLS 1.0 and TLS 1.1, which have been shown to be vulnerable to determined attackers.
This change will be enforced for all connections to Azure Bot Service servers, either from a chat client or from a bot. It will not yet be enforced for connections from the Azure Bot Service to bots.
The vast majority of connections to the Azure Bot Service already use TLS 1.2. The few that do not are from old clients or old operating systems. In most cases, an upgrade to a newer browser or a patch to the operating system is all that is required to enable TLS 1.2.
We will still allow bots to accept the older protocols, but we will be deprecating that in the future, so it is recommended that bot developers configure their servers to accept TLS 1.2 or higher. If your bot is hosted on Azure Web Apps or Functions, the change is easy. If your bot is hosted on an older version of Windows, such as Windows Server 2008 or Windows 7 (Windows Server 2008 R2), you will need to install a patch and enable the updated protocols. TLS 1.2 is not supported on Windows Vista and earlier.
The following clients are known to be unable to use TLS 1.2. Update your clients and encourage your customers to do the same to ensure uninterrupted access to the service.
- Android 4.3 and earlier versions
- Firefox version 5.0 and earlier versions
- Internet Explorer 8-10 on Windows 7 and earlier versions
- Internet Explorer 10 on Win Phone 8.0
- Safari 6.0.4/OS X10.8.4 and earlier versions