TLS 1.0 and 1.1 retirement

You're viewing Apigee Edge documentation.
Go to the Apigee X documentation.
info

Update - TLS 1.0/1.1 retirement in Edge Public Cloud SSO authentication

July 3, 2018

If you are currently engaged with our support team, please ignore this update.

Apigee is announcing the deprecation of support for TLS versions 1.0 and 1.1 for both the cloud authentication process and for Security Assertion Markup Language (SAML) metadata updates. Starting on July 18th, 2018, TLS 1.2 will be required for authentication and connections to Edge Public Cloud Single Sign-on (SSO) and SAML metadata refresh.

What should you do for uninterrupted logins?

  • Verify your customers use TLS 1.2-compatible versions of their browsers.
  • Verify your SAML Identify Provider (IdP) configuration (including metadata updates) supports using TLS 1.2.
  • Verify the software (such as automation tooling) connecting to the Apigee Edge Public Cloud SSO service supports TLS 1.2.

If you have any questions, please contact Support. We apologize for any inconvenience this may cause and appreciate your support.

Update - deadline extension

June 15, 2018

If you are currently engaged with our support team, please ignore this update.

We have extended the deadline for retirement of TLS 1.0 and 1.1 in the Edge Public Cloud:

  • PCI Customers: June 29, 2018
  • Non-PCI Customers: July 31, 2018

If you have any questions or cannot meet this deadline, please contact Support via your existing TLS support case or open a new case. We apologize for any inconvenience this may cause and appreciate your support.


May 22, 2018

Apigee is announcing the deprecation of support for TLS 1.0 and TLS 1.1 for all HTTPS connections to Apigee Edge public cloud including those made to customer API proxies. Starting on June 18th, 2018, both TLS 1.0 and TLS 1.1 will be disabled, and TLS 1.2 will be required.

Why are we making these changes?

Connections that use TLS 1.0 or TLS 1.1 are no longer considered a secure practice by the security community.

What actions do I need to take?

Review your API client (i.e. API consumer application) configurations to determine what TLS versions are being used and take the necessary actions to migrate the client configurations to support TLS 1.2. Apigee will send an email to users in the orgadmin role listing virtualhosts that are still receiving API calls from clients that are using these deprecated protocols. However, customers are responsible for identifying and ensuring all their client configurations migrate to only use TLS 1.2 before June 18th, 2018.

What will happen if don't take the necessary actions?

Any calls made to API proxies hosted on the Apigee Edge public cloud and calls made to Apigee Edge public cloud management APIs using TLS 1.0 and TLS 1.1 will fail.

After June 18, 2018, will Apigee support only TLS 1.2?

Yes. Starting on June 18th, 2018, both TLS 1.0 and TLS 1.1 will be disabled, and TLS 1.2 will be required.

If customers are using a TLS version less than 1.2, will their API calls fail after June 18, 2018?

Yes. Any calls made to API proxies hosted on the Apigee Edge public cloud and calls made to Apigee Edge public cloud management APIs using TLS 1.0 and TLS 1.1 will fail.

When is the exact date that Apigee is going to effect this change?

On June 18th, 2018, we will enforce this change.

If we are not ready by mid-June, is there any possibility of postponing this change?

No. Unfortunately, this is a security requirement that applies across our multi-tenant platform, and we are unable to make exceptions.

Is there a way that we can identify our calls that use TLS version 1.0 or 1.1?

Apigee will send an email to users in the orgadmin role listing virtual hosts that are still receiving API calls from clients that use these deprecated protocols. However, customers are responsible for identifying and ensuring that all their client configurations use only TLS 1.2 before June 18th, 2018.

What about plain HTTP connections?

API proxies that require HTTP connections will continue to work as is. If you are using HTTPS, you will be required to use TLS 1.2.

Who do I contact if I need more info or help?

If you have any questions or need assistance, please open a Support case. We apologize for any inconvenience this may cause, but appreciate your support.