TLS Protocol Compatibility
Mar 6, 2024
TLS Protocol Compatibility
Introduction
This article focuses specifically on TLS v1.0, v1.1, v1.2, & v1.3 and their compatibility with various software platforms and operating systems, both client and server side, if you would like to know more about what these protocols are & what purpose they serve, please feel free to read on our blog post here.
Note: Please note that certificates are not dependent on the protocols you have enabled or disabled, the protocols are determined by your server configuration and not by the certificates and will likely be managed by your server administrator or the appropriate IT staff within your organization. If you would like some further guidance on how you can go about disabling deprecated SSL/TLS protocols, please check our related article.
Timeline
| June 21, 2018 | Deprecation of TLS 1.0 and 1.1 by GlobalSign |
|---|---|
| June 30, 2018 | PCI DSS deadline for deprecating TLS 1.0 |
Compatibility Tables
INDEX:
Browsers
|
|
TLS 1.1 | TLS 1.2 | TLS 1.3 | |
|---|---|---|---|---|
| Desktop IE 11 latest version | ✗ | ✓ | ✓ | ✓ |
| Desktop and mobile IE version 11 | ✓ | ✓ | ✓ | ✗ |
| Desktop IE versions: 8, 9, and 10 | ✓ | Partial [See Note 1] |
Partial [See Note 1] |
✗ |
| Desktop IE versions 7 and below | ✓ | ✗ | ✗ | ✗ |
| Mobile IE version 10 and below | ✓ | ✗ | ✗ | ✗ |
| Microsoft Edge latest version | ✗ | ✓ | ✓ | ✓ |
| Microsoft Edge | ✓ | ✓ | ✓ | ✗ |
| Mozilla Firefox 63 or higher | ✗ | ✓ | ✓ | ✓ |
| Mozilla Firefox 27 and higher | ✓ | ✓ | ✓ | ✗ |
| Mozilla Firefox 23 to 26 | ✓ | Partial [See Note 2] |
Partial [See Note 2] |
✗ |
| Mozilla Firefox 22 and below | ✓ | ✗ | ✗ | ✗ |
| Google Chrome 80 or higher | ✗ | ✓ | ✓ | ✓ |
| Google Chrome 30 to 79 | ✓ | ✓ | ✓ | ✗ |
| Google Chrome 22 to 32 | ✓ | Partial [See Note 3] |
Partial [See Note 3] |
✗ |
| Google Chrome 21 and below | ✓ | ✗ | ✗ | ✗ |
| Android 10.0 or higher | ✗ | ✓ | ✓ | ✓ |
| Android 5.0 (Lollipop) and higher | ✓ | ✓ | ✓ | ✗ |
| Android 4.4 (Kitkat) to 4.4.4 | ✓ | Partial (See Note 4) |
Partial (See Note 4) |
✗ |
| Android 4.3 (Jelly Bean) and below | ✓ | ✗ | ✗ | ✗ |
| Desktop Safari version 13 or higher | ✗ | ✓ | ✓ | ✓ |
| Desktop Safari versions 7 and higher for OS X 10.9 (Mavericks) and higher | ✓ | ✓ | ✓ | ✗ |
| Desktop Safari versions 6 and below for OS X 10.8 (Mountain Lion) and below | ✓ | ✗ | ✗ | ✗ |
| Mobile Safari version 13 or higher | ✗ | ✓ | ✓ | ✓ |
| Mobile Safari versions 5 and higher for iOS 5 and higher | ✓ | ✓ | ✓ | ✗ |
| Mobile Safari for iOS 4 and below | ✓ | ✗ | ✗ | ✗ |
| Opera 67 and higher | ✗ | ✓ | ✓ | ✓ |
|
Desktop Clients |
||||
|
|
TLS 1.1 | TLS 1.2 | TLS 1.3 | |
| Windows 11 or higher | ✗ | ✓ | ✓ | ✓ |
| Windows 10 | ✓ | ✓ | ✓ | ✗ |
| Windows 8.1 | ✓ | ✓ | ✓ | ✗ |
| Windows 8 | ✓ | Partial [See Note 5] |
Partial [See Note 5] |
✗ |
| Windows 7 SP1 | ✓ | ✓ | ✓ | ✗ |
| Windows 7 SP1 | ✓ | ✓ | ✓ | ✗ |
| Windows Vista | ✓ | ✗ | ✗ | ✗ |
| Windows XP SP3 | ✓ | ✓ | ✗ | ✗ |
| Windows XP | ✓ | ✗ | ✗ | ✗ |
| MAC OS 10.15 or higher | ✗ | ✓ | ✓ | ✓ |
| MAC OS X 10.13 | ✓ | ✓ | ✓ | ✗ |
| MAC OS X 10.12 | ✓ | ✓ | ✓ | ✗ |
| MAC OS X 10.11 | ✓ | ✓ | ✓ | ✗ |
| MAC OS X 10.10 | ✓ | ✓ | ✓ | ✗ |
| MAC OS X 10.9 | ✓ | ✓ | ✓ | ✗ |
| MAC OS X 10.8 | ✓ | ✗ | ✗ | ✗ |
| MAC OS X 10.6 and 10.7 | ✓ | ✗ | ✗ | ✗ |
| MAC OS X 10.4 and 10.5 | ✓ | ✗ | ✗ | ✗ |
| MAC OS X 10.2 and 10.3 | ✓ | ✗ | ✗ | ✗ |
| Linux | ✓ | ✗ | ✗ | ✗ |
Mobile Clients |
||||
|
|
TLS 1.1 | TLS 1.2 | TLS 1.3 | |
| Airwatch | ✓ | ✓ | Partial [See more] |
✗ |
| Android versions: 10.0 or higher | ✗ | ✓ | ✓ | ✓ |
| Android versions: 5.0 to 8.1 and Android P | ✓ | ✓ | ✓ | ✗ |
| Android versions: 1.0 to 4.4.4 | ✓ | ✗ | ✗ | ✗ |
| iPhone OS versions: 13 or higher | ✗ | ✓ | ✓ | ✓ |
| iPhone OS versions: 5, 6, 7, 8, 9, 10, and 11 | ✓ | ✓ | ✓ | ✗ |
| iPhone OS versions: 1, 2, 3, and 4 | ✓ | ✗ | ✗ | ✗ |
| MobileIron Core versions 9.5 and higher | ✓ | ✓ | ✓ | ✗ |
| MobileIron Core versions 9.4 and below | ✓ | ✗ | ✗ | ✗ |
| MobileIron Cloud | ✓ | ✓ | ✓ | ✗ |
| Windows 10 Mobile versions: v1511, v1607, v1703, and v1709 | ✓ | ✓ | ✓ | ✗ |
| Windows Phone version 8.1 | ✓ | ✓ | ✓ | ✗ |
| Windows Phone versions: 7, 7.5, 7.8 and 8 | ✓ | ✗ | ✗ | ✗ |
Note 1: For desktop IE versions: 8, 9, and 10 are only compatible with TLS 1.1 and TLS 1.2 when running Windows 7 or newer, but it is disabled by default. To enable it, please check the guidelines found here for more information.
Note 2: For Firefox 23 to 26: use about:config to enable TLS 1.1 and TLS 1.2 by updating the security.tls.version.max config value to 2 for TLS 1.1 or 3 for TLS 1.2.
Note 3: For Google Chrome 22 to 37: TLS 1.1 and TLS 1.2 are compatible when running on Windows XP SP3, Vista, or newer (desktop), OS X 10.6 (Snow Leopard) or newer (desktop), or Android 2.3 (Gingerbread) or newer (mobile).
Note 4: For Android 4.4: it may be compatible with TLS 1.1 and TLS 1.2 but some devices with Android 4.4.x may not support TLS 1.1 or higher.
Note 5: For Windows 8: TLS 1.1 and TLS 1.2 can be enabled by following the guidelines found here for more information.
Servers
|
|
TLS 1.1 | TLS 1.2 | TLS 1.3 | |
|---|---|---|---|---|
| Windows Server 2022 | ✗ | ✓ | ✓ | ✓ |
| Windows Server 2019 | ✗ | ✓ | ✓ | ✗ |
| Windows Server 2016 | ✓ | ✓ | ✓ | ✗ |
| Windows Server 2012 R2 | ✓ | ✓ | ✓ | ✗ |
| Windows Server 2012 | ✓ | Partial [See Note 7] |
Partial [See Note 7] |
✗ |
| Windows Server 2008 R2 | ✓ | ✓ | ✓ | ✗ |
| Windows Server 2008 SP 2 with windows update installed | ✓ | ✓ | ✓ | ✗ |
| Windows Server 2008 | ✓ | ✗ [See Note 6] |
✗ [See Note 6] |
✗ |
| Windows Server 2003 | ✓ | ✗ [See Note 6] |
✗ [See Note 6] |
✗ |
Libraries
|
|
TLS 1.1 | TLS 1.2 | TLS 1.3 | |
|---|---|---|---|---|
| .NET 4.6 and higher | ✓ | ✓ | ✓ | ✗ |
| .NET 4.5 to 4.5.2 | ✓ | Partial [See Note 8] |
Partial [See Note 8] |
✗ |
| .NET 4.0 | ✓ | ✓ | Partial [See Note 9] |
✗ |
| .NET 3.5 and below | ✓ | ✗ | ✗ | ✗ |
| OpenSSL versions: 1.1.1 or higher | ✗ | ✓ | ✓ | ✓ |
| OpenSSL versions: 1.0.1 and higher | ✓ | ✓ | ✓ | ✗ |
| OpenSSL versions: 1.0.0 and below | ✓ | ✗ | ✗ | ✗ |
| Mozilla - NSS versions: 3.15.1 and higher | ✓ | ✓ | ✓ | ✗ |
| Mozilla - NSS versions: 3.14 to 3.15 | ✓ | ✓ | ✗ | ✗ |
| Mozilla - NSS versions: 3.13.6 and below | ✓ | ✗ | ✗ | ✗ |
Note 6: A Server that does not support TLS 1.1 and TLS 1.2 that connects to another site as a Client can support TLS 1.1 and TLS 1.2 by enabling it through the Internet Options in IE. Browse to Tools > Internet Options > Advanced. Under the Security section, you would see the list of SSL Protocols supported by IE. Tick the necessary boxes. You can check the guidelines found here for more information.
Note 7: For Windows Server 2012: TLS 1.1 and TLS 1.2 can be enabled by following the guidelines found here for more information.
Note 8: For .NET 4.5 to 4.5.2: TLS 1.1 and TLS 1.2 can be enabled by following either one of the two options indicated below: Option 1:.NET applications may directly enable TLS 1.1 and TLS 1.2 in their software code by setting System.Net.ServicePointManager.SecurityProtocol to enable SecurityProtocolType.Tls12 and SecurityProtocolType.Tls11. The following C# code is an example:
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
Option 2:
To enable TLS 1.2 by default without modifying the source code by setting the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Although the version number in those registry keys is 4.0.30319, the .NET 4.5, 4.5.1, and 4.5.2 frameworks also use these values. Those registry keys, however, will enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. It is thus advisable to test this change before deploying it to your production servers.
Note 9: To enable TLS 1.2 by default, it is possible to install .NET Framework 4.5, or a newer version, and set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Those registry keys, however, may enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. We recommend testing this change before deploying it to your production servers.
Note 10: The update needed to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows is indicated in the guidelines found here.
We hope you found the information in this article useful, if you are unsure what protocols your server currently supports, you can use our free configuration checker here https://globalsign.ssllabs.com/ to quickly test your server and see which protocols are enabled.
References
1. PCI Data Security Standard
2. PCI Security Standards Council Revises Date For Migrating Off Vulnerable SSL and Early TLS Encryption
3. Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS
4. Migrating from SSL and Early TLS
Related Articles
SSL Configuration Test
Check your certificate installation for SSL issues and vulnerabilities.