Dec 6, 2022

TLS Protocol Compatibility

Introduction

This article focuses specifically on TLS v1.0, v1.1, v1.2, & v1.3 and their compatibility with various software platforms and operating systems, both client and server side, if you would like to know more about what these protocols are & what purpose they serve, please feel free to read on our blog post here. 
Note: Please note that certificates are not dependent on the protocols you have enabled or disabled, the protocols are determined by your server configuration and not by the certificates and will likely be managed by your server administrator or the appropriate IT staff within your organization. If you would like some further guidance on how you can go about disabling deprecated SSL/TLS protocols, please check our related article. 

Timeline

June 21, 2018	Deprecation of TLS 1.0 and 1.1 by GlobalSign
June 30, 2018	PCI DSS deadline for deprecating TLS 1.0

Compatibility Tables

INDEX: 

1. Browsers
2. Desktop Clients
3. Mobile Clients
4. Servers
5. Libraries

Browsers

	TLS 1.0	TLS 1.1	TLS 1.2	TLS 1.3
Mobile IE version 10 and below	✓	✗	✗	✗
Desktop IE versions 7 and below	✓	✗	✗	✗
Desktop IE versions: 8, 9, and 10	✓	Partial [See Note 1]	Partial [See Note 1]	✗
Desktop and mobile IE version 11	✓	✓	✓	✗
Microsoft Edge	✓	✓	✓	✗
Mozilla Firefox 22 and below	✓	✗	✗	✗
Mozilla Firefox 23 to 26	✓	Partial [See Note 2]	Partial [See Note 2]	✗
Mozilla Firefox 27 and higher	✓	✓	✓	✗
Google Chrome 21 and below	✓	✗	✗	✗
Google Chrome 22 to 37	✓	Partial [See Note 3]	Partial [See Note 3]	✗
Google Chrome 38 and higher	✓	✓	✓	✗
Android 4.3 (Jelly Bean) and below	✓	✗	✗	✗
Android 4.4 (Kitkat) to 4.4.4	✓	Partial (See Note 4)	Partial (See Note 4)	✗
Android 5.0 (Lollipop) and higher	✓	✓	✓	✗
Mobile Safari for iOS 4 and below	✓	✗	✗	✗
Mobile Safari versions 5 and higher for iOS 5 and higher	✓	✓	✓	✗
Desktop Safari versions 6 and below for OS X 10.8 (Mountain Lion) and below	✓	✗	✗	✗
Desktop Safari versions 7 and higher for OS X 10.9 (Mavericks) and higher	✓	✓	✓	✗
Desktop Clients
	TLS 1.0	TLS 1.1	TLS 1.2	TLS 1.3
Windows XP	✓	✗	✗	✗
Windows XP SP3	✓	✓	✗	✗
Windows Vista	✓	✗	✗	✗
Windows 7 SP1	✓	✓	✓	✗
Windows 8	✓	Partial [See Note 5]	Partial [See Note 5]	✗
Windows 8.1	✓	✓	✓	✗
Windows 10	✓	✓	✓	✗
MAC OS X 10.2 and 10.3	✓	✗	✗	✗
MAC OS X 10.4 and 10.5	✓	✗	✗	✗
MAC OS X 10.6 and 10.7	✓	✗	✗	✗
MAC OS X 10.8	✓	✗	✗	✗
MAC OS X 10.9	✓	✓	✓	✗
MAC OS X 10.10	✓	✓	✓	✗
MAC OS X 10.11	✓	✓	✓	✗
MAC OS X 10.12	✓	✓	✓	✗
MAC OS X 10.13	✓	✓	✓	✗
Linux	✓	✗	✗	✗
Mobile Clients
	TLS 1.0	TLS 1.1	TLS 1.2	TLS 1.3
Airwatch	✓	✓	Partial [See more]	✗
Android versions: 1.0 to 4.4.4	✓	✗	✗	✗
Android versions: 5.0 to 8.1 and Android P	✓	✓	✓	✗
iPhone OS versions: 1, 2, 3, and 4	✓	✗	✗	✗
iPhone OS versions: 5, 6, 7, 8, 9, 10, and 11	✓	✓	✓	✗
MobileIron Core versions 9.4 and below	✓	✗	✗	✗
MobileIron Core versions 9.5 and higher	✓	✓	✓	✗
MobileIron Cloud	✓	✓	✓	✗
Windows Phone versions: 7, 7.5, 7.8 and 8	✓	✗	✗	✗
Windows Phone version 8.1	✓	✓	✓	✗
Windows 10 Mobile versions: v1511, v1607, v1703, and v1709	✓	✓	✓	✗

Note 1: For desktop IE versions: 8, 9, and 10 are only compatible with TLS 1.1 and TLS 1.2 when running Windows 7 or newer, but it is disabled by default. To enable it, please check the guidelines found here for more information. 

Note 2: For Firefox 23 to 26: use about:config to enable TLS 1.1 and TLS 1.2 by updating the security.tls.version.max config value to 2 for TLS 1.1 or 3 for TLS 1.2. 

Note 3: For Google Chrome 22 to 37: TLS 1.1 and TLS 1.2 are compatible when running on Windows XP SP3, Vista, or newer (desktop), OS X 10.6 (Snow Leopard) or newer (desktop), or Android 2.3 (Gingerbread) or newer (mobile). 

Note 4: For Android 4.4: it may be compatible with TLS 1.1 and TLS 1.2 but some devices with Android 4.4.x may not support TLS 1.1 or higher.

Note 5: For Windows 8: TLS 1.1 and TLS 1.2 can be enabled by following the guidelines found here for more information.

Servers

	TLS 1.0	TLS 1.1	TLS 1.2	TLS 1.3
Windows Server 2003	✓	✗ [See Note 6]	✗ [See Note 6]	✗
Windows Server 2008	✓	✗ [See Note 6]	✗ [See Note 6]	✗
Windows Server 2008 SP 2 with windows update installed	✓	✓	✓	✗
Windows Server 2008 R2	✓	✓	✓	✗
Windows Server 2012	✓	Partial [See Note 7]	Partial [See Note 7]	✗
Windows Server 2012 R2	✓	✓	✓	✗
Windows Server 2016	✓	✓	✓	✗

 

Libraries

	TLS 1.0	TLS 1.1	TLS 1.2	TLS 1.3
.NET 4.6 and higher	✓	✓	✓	✗
.NET 4.5 to 4.5.2	✓	Partial [See Note 8]	Partial [See Note 8]	✗
.NET 4.0	✓	✓	Partial [See Note 9]	✗
.NET 3.5 and below	✓	✗	✗	✗
OpenSSL versions: 1.0.0 and below	✓	✗	✗	✗
OpenSSL versions: 1.0.1 and higher	✓	✓	✓	✗
Mozilla - NSS versions: 3.13.6 and below	✓	✗	✗	✗
Mozilla - NSS versions: 3.14 to 3.15	✓	✓	✗	✗
Mozilla - NSS versions: 3.15.1 and higher	✓	✓	✓	✗

 Note 6: A Server that does not support TLS 1.1 and TLS 1.2 that connects to another site as a Client can support TLS 1.1 and TLS 1.2 by enabling it through the Internet Options in IE. Browse to Tools > Internet Options > Advanced. Under the Security section, you would see the list of SSL Protocols supported by IE. Tick the necessary boxes. You can check the guidelines found here for more information. 

Note 7: For Windows Server 2012: TLS 1.1 and TLS 1.2 can be enabled by following the guidelines found here for more information.
 

Note 8: For .NET 4.5 to 4.5.2: TLS 1.1 and TLS 1.2 can be enabled by following either one of the two options indicated below: Option 1:.NET applications may directly enable TLS 1.1 and TLS 1.2 in their software code by setting System.Net.ServicePointManager.SecurityProtocol to enable SecurityProtocolType.Tls12 and SecurityProtocolType.Tls11. The following C# code is an example:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

Option 2:
To enable TLS 1.2 by default without modifying the source code by setting the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Although the version number in those registry keys is 4.0.30319, the .NET 4.5, 4.5.1, and 4.5.2 frameworks also use these values. Those registry keys, however, will enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. It is thus advisable to test this change before deploying it to your production servers. 

Note 9: To enable TLS 1.2 by default, it is possible to install .NET Framework 4.5, or a newer version, and set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Those registry keys, however, may enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. We recommend testing this change before deploying it to your production servers. 

Note 10: The update needed to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows is indicated in the guidelines found here. 

We hope you found the information in this article useful, if you are unsure what protocols your server currently supports, you can use our free configuration checker here https://globalsign.ssllabs.com/ to quickly test your server and see which protocols are enabled. 

References

1. PCI Data Security Standard
2. PCI Security Standards Council Revises Date For Migrating Off Vulnerable SSL and Early TLS Encryption
3. Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS
4. Migrating from SSL and Early TLS