Disabling outdated cryptographic Transport Layer Security Protocols (TLS)

TLS 1.0 and TLS 1.1 disabled as of 1st September 2020

2020/08/24

The encryption protocols TLS 1.0 and TLS 1.1 offer only limited protection during data transmission. On recommendation of the German Federal Office for Information Security (BSI) the HRZ will therefore convert all external services to at least the more current version TLS 1.2 on September 1st, 2020. TLS 1.0 and TLS 1.1 will be deactivated for all these services.

All current server and client operating systems and those supported by updates will support TLS 1.2 in addition to the old protocol versions. The changeover will therefore go unnoticed by most users.

In some cases, however, as far as the HRZ is aware, difficulties could arise in the following cases:

1. clients with very old operating systems

Whoever is affected by this should – regardless of this measure – urgently upgrade their operating system, even if this means purchasing a new device. This is because the affected operating systems have not received updates for a long time and therefore represent a considerable IT security risk.

Affected operating systems (among others):

  • Windows 7 before SP1
  • macOS before version 10.12 (Sierra)
  • Android before version 5.0
  • iOS before version 9.3

The above mentioned operating system versions already support TLS 1.2, but only iOS 9.3 is still updated by the manufacturer. All other versions should not be used for security reasons.

2. server with fixed configured protocols

Configuration guides for server applications sometimes recommend setting the protocols permanently. Especially for installations that have been running for a long time, it is conceivable that the default of using TLS 1.0 or TLS 1.1 exclusively, which was in effect a few years ago, may now become a problem. We recommend that you check the settings.

3. multifunction printers and similar devices

Multifunction printers (printer-scanner combinations) often have a scan-to-mail function. For the direct e-mail transmission of the scanned images, the scanner must establish a connection to the e-mail server. Unfortunately, many (specially older or cheap devices) do not support the more modern encryptions. For those devices that are affected by this, there is the possibility to either abstain from this function or to replace the devices.

Temporary interim solution for problems with conversion to TLS 1.2

In case a changeover of the outdated TLS versions to TLS 1.2 cannot be done in time due to technical reasons, a temporary interim solution is offered. However, this option is only available for 3 months, i.e. up to and including November 30, 2020. If this option is used, performance problems must be expected. To take advantage of a temporary interim solution, please send an e-mail to

nb