Date: 04/07/2022
✅ Accepted
The current Cloud Platform Ingress Controllers support TLS 1.0, 1.1, and 1.2. This is due to end users of services being hosted on the platform having to rely on unsupported browser versions. We have had to retain for older TLS versions to support this ongoing dependancy.
Since the original decision to support older TLS versions a number of things have happended:
- TLS version 1.3 needs to be supported
- The user estate has undergone a number of end user device refreshes which have introduced modern browsers
- There is a recurring issue of legacy TLS versions being identified in Service Team ITHCs
- NCSC Guidance on legacy TLS versions
We are now offering users new Ingress Controllers that offer support for 1.2 and 1.3, and we need to plan how we will manage the older versions of TLS.
Remove support for TLS versions 1.0 and 1.1 on the new Ingress Controller.
Add support for TLS version 1.3
There is a small risk that a user on the estate may be using an unsupported browser that uses a deprecated version of TLS. Following a number end user device refresh projects we believe that users have been moved to browsers that support modern TLS versions.
To mitigate this risk we will advise our users to move non-production workloads first, test that moving to the new ingress controller doesn't cause an issuses, and then move production workloads.
Removing unsupported TLS versions will improve security on the platform.