TLS Protocol Compatibility

TLS Protocol Compatibility

Introduction

This article focuses specifically on TLS v1.0, v1.1, v1.2, & v1.3 and their compatibility with various software platforms and operating systems, both client and server side, if you would like to know more about what these protocols are & what purpose they serve, please feel free to read on our blog post here
Note: Please note that certificates are not dependent on the protocols you have enabled or disabled, the protocols are determined by your server configuration and not by the certificates and will likely be managed by your server administrator or the appropriate IT staff within your organization. If you would like some further guidance on how you can go about disabling deprecated SSL/TLS protocols, please check our related article

Timeline

June 21, 2018 Deprecation of TLS 1.0 and 1.1 by GlobalSign
June 30, 2018 PCI DSS deadline for deprecating TLS 1.0

Compatibility Tables

INDEX: 

  1. Browsers
  2. Desktop Clients
  3. Mobile Clients
  4. Servers
  5. Libraries

Browsers

 
TLS 1.0
TLS 1.1 TLS 1.2 TLS 1.3
Mobile IE version 10 and below
Desktop IE versions 7 and below
Desktop IE versions: 8, 9, and 10 Partial
[See Note 1]
Partial
[See Note 1]
Desktop and mobile IE version 11
Microsoft Edge
Mozilla Firefox 22 and below
Mozilla Firefox 23 to 26 Partial
[See Note 2
Partial
[See Note 2]
Mozilla Firefox 27 and higher
Google Chrome 21 and below
Google Chrome 22 to 37 Partial
[See Note 3]
Partial
[See Note 3]
Google Chrome 38 and higher
Android 4.3 (Jelly Bean) and below
Android 4.4 (Kitkat) to 4.4.4 Partial
(See Note 4)
Partial
(See Note 4)
Android 5.0 (Lollipop) and higher
Mobile Safari for iOS 4 and below
Mobile Safari versions 5 and higher for iOS 5 and higher
Desktop Safari versions 6 and below for OS X 10.8 (Mountain Lion) and below
Desktop Safari versions 7 and higher for OS X 10.9 (Mavericks) and higher

 

Desktop Clients

     
 
TLS 1.0
TLS 1.1 TLS 1.2 TLS 1.3
Windows XP
Windows XP SP3
Windows Vista
Windows 7 SP1
Windows 8 Partial
[See Note 5]
Partial
[See Note 5]
Windows 8.1
Windows 10
MAC OS X 10.2 and 10.3
MAC OS X 10.4 and 10.5
MAC OS X 10.6 and 10.7
MAC OS X 10.8
MAC OS X 10.9
MAC OS X 10.10
MAC OS X 10.11
MAC OS X 10.12
MAC OS X 10.13
Linux

 

Mobile Clients

       
 
TLS 1.0
TLS 1.1 TLS 1.2 TLS 1.3
Airwatch Partial
[See more]
Android versions: 1.0 to 4.4.4
Android versions: 5.0 to 8.1 and Android P
iPhone OS versions: 1, 2, 3, and 4
iPhone OS versions: 5, 6, 7, 8, 9, 10, and 11
MobileIron Core versions 9.4 and below
MobileIron Core versions 9.5 and higher
MobileIron Cloud
Windows Phone versions: 7, 7.5, 7.8 and 8
Windows Phone version 8.1
Windows 10 Mobile versions: v1511, v1607, v1703, and v1709



Note 1: For desktop IE versions: 8, 9, and 10 are only compatible with TLS 1.1 and TLS 1.2 when running Windows 7 or newer, but it is disabled by default. To enable it, please check the guidelines found here for more information. 

Note 2: For Firefox 23 to 26: use about:config to enable TLS 1.1 and TLS 1.2 by updating the security.tls.version.max config value to 2 for TLS 1.1 or 3 for TLS 1.2. 

Note 3: For Google Chrome 22 to 37: TLS 1.1 and TLS 1.2 are compatible when running on Windows XP SP3, Vista, or newer (desktop), OS X 10.6 (Snow Leopard) or newer (desktop), or Android 2.3 (Gingerbread) or newer (mobile). 

Note 4: For Android 4.4: it may be compatible with TLS 1.1 and TLS 1.2 but some devices with Android 4.4.x may not support TLS 1.1 or higher.

Note 5: For Windows 8: TLS 1.1 and TLS 1.2 can be enabled by following the guidelines found here for more information.

Servers

 
TLS 1.0
TLS 1.1 TLS 1.2 TLS 1.3
Windows Server 2003
[See Note 6]

[See Note 6]
Windows Server 2008
[See Note 6]

[See Note 6]
Windows Server 2008 SP 2 with windows update installed
Windows Server 2008 R2
Windows Server 2012 Partial
[See Note 7]
Partial
[See Note 7]
Windows Server 2012 R2
Windows Server 2016


 

Libraries

 
TLS 1.0
TLS 1.1 TLS 1.2 TLS 1.3
.NET 4.6 and higher
.NET 4.5 to 4.5.2 Partial
[See Note 8]
Partial
[See Note 8]
.NET 4.0 Partial
[See Note 9]
.NET 3.5 and below
OpenSSL versions: 1.0.0 and below
OpenSSL versions: 1.0.1 and higher
Mozilla - NSS versions: 3.13.6 and below
Mozilla - NSS versions: 3.14 to 3.15
Mozilla - NSS versions: 3.15.1 and higher

 Note 6: A Server that does not support TLS 1.1 and TLS 1.2 that connects to another site as a Client can support TLS 1.1 and TLS 1.2 by enabling it through the Internet Options in IE. Browse to Tools > Internet Options > Advanced. Under the Security section, you would see the list of SSL Protocols supported by IE. Tick the necessary boxes. You can check the guidelines found here for more information. 

Note 7: For Windows Server 2012: TLS 1.1 and TLS 1.2 can be enabled by following the guidelines found here for more information.
 

Note 8: For .NET 4.5 to 4.5.2: TLS 1.1 and TLS 1.2 can be enabled by following either one of the two options indicated below: Option 1:.NET applications may directly enable TLS 1.1 and TLS 1.2 in their software code by setting System.Net.ServicePointManager.SecurityProtocol to enable SecurityProtocolType.Tls12 and SecurityProtocolType.Tls11. The following C# code is an example:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

Option 2:
To enable TLS 1.2 by default without modifying the source code by setting the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Although the version number in those registry keys is 4.0.30319, the .NET 4.5, 4.5.1, and 4.5.2 frameworks also use these values. Those registry keys, however, will enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. It is thus advisable to test this change before deploying it to your production servers. 

Note 9: To enable TLS 1.2 by default, it is possible to install .NET Framework 4.5, or a newer version, and set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319". Those registry keys, however, may enable TLS 1.2 by default in all installed .NET 4.0, 4.5, 4.5.1, and 4.5.2 applications on that system. We recommend testing this change before deploying it to your production servers. 

Note 10: The update needed to enable TLS 1.1 and TLS 1.2 as a default secure protocols in WinHTTP in Windows is indicated in the guidelines found here

We hope you found the information in this article useful, if you are unsure what protocols your server currently supports, you can use our free configuration checker here https://globalsign.ssllabs.com/ to quickly test your server and see which protocols are enabled. 

References

1. PCI Data Security Standard
2. PCI Security Standards Council Revises Date For Migrating Off Vulnerable SSL and Early TLS Encryption
3. Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS
4. Migrating from SSL and Early TLS

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Scan your endpoints to locate all of your Certificates.

Log In / Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.