Overview
Firefox Mozilla, Google Chrome, Microsoft Edge and Internet Explorer 11, and Apple Safari browsers are ending support for TLS 1.0 and 1.1 in March 2020.
PLEASE NOTE: On Mar. 23, CalNet ended support for TLS 1.0 and 1.1 protocols.
Email calnet-admin@berkeley.edu if you have questions.
What this means for developers
Developers may need to update their applications or libraries to support TLS 1.2. CalNet Services work best when accessed from these recommended browsers.
While CalNet does not support applications, we have provided some guidelines here:
ColdFusion Developers
Please see the section for Java developers as this is relevant to ColdFusion running on a JVM.
Java Developers
If your application connects to CalNet Single Sign-on (auth.berkeley.edu), Shibboleth (shib.berkeley.edu), CalGroups (calgroups.berkeley.edu), or LDAP (ldap.berkeley.edu) via a server-to-server connection, and your application runs in a JVM on a version of Java prior to 1.8, you need to change your application to support TLS 1.2 for communicating to these services.
If your application runs on Java 1.7 or Java 1.6 (update 111 or later), you can set the https.protocols system property when starting the JVM to enable additional protocols for connections made using the HttpsURLConnection class – for example, by setting -Dhttps.protocols=TLSv1.2
If your application runs on Java 1.6 prior to update 111, or earlier, TLS 1.1 and 1.2 are not supported. Therefore, you need to update the version of Java your application runs on.
If you use another library for connections such as Apache HttpClient, you should consult the documentation to enable TLS 1.2.
mod_auth_cas Integrations
If your application connects to CalNet Single Sign-on (auth.berkeley.edu) via a server-to-server connection, and your application uses Apache with mod_auth_cas, you need to ensure you are using the most recent version of mod_auth_cas and are using OpenSSL 1.0.1g or higher.
The latest mod_auth_cas is found here: https://github.com/apereo/mod_auth_cas
To check your OpenSSL version run the following command:
openssl version |
If the version listed is less than 1.0.1g then upgrade using your operating system’s package manager. If the version listed indicates LibreSSL then no action is necessary.
.Net Developers
If your application connects to CalNet Single Sign-on (auth.berkeley.edu), Shibboleth (shib.berkeley.edu), CalGroups (calgroups.berkeley.edu), or LDAP (ldap.berkeley.edu) via a server-to-server connection then, depending on your version of .Net and Windows, you may need to change your application to support TLS 1.2 for communicating to these services
- For comprehensive instructions please see https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
.Net Framework 4.6 and later
These versions support TLS 1.2 by default in most cases; however please review this guide to ensure you are not using an older (or unpatched) Windows operating system that may change this behavior and to ensure you are following Microsoft’s guidelines:
- https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tlsFor example if you use TCP sockets and set SslProtocols.Defaults then you will still be using unsupported TLS versions.
.Net Framework 3.5 - 4.5.2
It is recommended that you upgrade and re-target your application to .Net framework 4.7. If you cannot, please follow the instructions provided by Microsoft:
Python Developers
If your application connects to CalNet Single Sign-on (auth.berkeley.edu), Shibboleth (shib.berkeley.edu), CalGroups (calgroups.berkeley.edu), or LDAP (ldap.berkeley.edu) via a server-to-server connection, and your application is written in a version of Python prior to 2.7 or 3.6, or is using OpenSSL libraries older than 1.0.1g, you need to change your application to support TLS 1.2 for communicating to these services.
To check your Python interpreter’s TLS version please install requests and run a command:
Python 2:
python2 -m pip install --upgrade requests python2 -c "import requests; print(requests.get('https://www.howsmyssl.com/a/check', verify=False).json()['tls_version'])" |
Python 3:
python3 -m pip install --upgrade requests python3 -c "import requests; print(requests.get('https://www.howsmyssl.com/a/check', verify=False).json()['tls_version'])" |
To check your OpenSSL version run the following command:
openssl version |
If the version listed is less than 1.0.1g then upgrade using your operating system’s package manager. If the version listed indicates LibreSSL then no action is necessary.
For comprehensive information please see: http://pyfound.blogspot.com/2017/01/time-to-upgrade-your-python-tls-v12.html
Ruby Developers
If your application connects to CalNet Single Sign-on (auth.berkeley.edu), Shibboleth (shib.berkeley.edu), CalGroups (calgroups.berkeley.edu), or LDAP (ldap.berkeley.edu) via a server-to-server connection, and your application is written in an outdated version of Ruby (prior to 2.4) or is using OpenSSL libraries older than 1.0.1g, you may need to change your application to support TLS 1.2 for communicating to these services.
To check your OpenSSL version run the following command:
openssl version |
If the version listed is less than 1.0.1g then upgrade using your operating system’s package manager. If the version listed indicates LibreSSL then no action is necessary.
You may also need to make sure your code is not explicitly requesting an older version of TLS. For example, this code will use the unsupported version of TLS regardless of the OpenSSL version:
context = OpenSSL::SSL::SSLContext.newcontext.ssl_version = :TLSv1_1 |
For more information see: https://docs.ruby-lang.org/en/2.7.0/OpenSSL.html#module-OpenSSL-label-SSL+and+TLS+Connections