Preparing for TLS 1.2 Migration in Office 365

Recently, Microsoft announced a significant update: “We’re retiring 3DES (Triple Data Encryption Standard) in Office 365”.

3DES cipher is mostly used for TLS/SSL to encrypt HTTPS and SSH traffic. Since 2016, it has been marked as vulnerable due to SWEET32 attack (Attackers recovered small portions of plaintext when encrypted with 3DES) and planned complete usage deprecation before 2023. To provide security to data, Microsoft made changes in TLS service.

Before moving into how to plan for 3DES removal, let’s see about TLS and how 3DES removal impacts TLS.

What is TLS?

Transport Layer Security (TLS) is a cryptographic protocol that provides secure communication over a network. For ex, Websites uses TLS to secure all communications between their servers and browsers/clients. There are currently four versions of TLS protocol in use today: TLS 1.0,1.1,1.2 and 1.3

Why Office 365 moving to TLS 1.2?

Microsoft is planning to move all of its online services to TLS 1.2 or a later version to provide best-in-class encryption to its customers.  As of February 28, 2019, Microsoft will begin retiring 3DES. As a result, if your connections are currently using a 3DES cipher suite, they will fail when 3DES cipher suites are disabled. TLS versions 1.0 and 1.1 include cipher suites based on the 3DES algorithm. So,  all client-server and browser-server combinations must use TLS 1.2 or 1.2+ to maintain a connection to Office 365 services.

How does this affect me?

Office 365 stopped support for TLS 1.0 and 1.1. Hence Microsoft will not fix new issues that are found when connecting Office 365 by using TLS 1.0/1.1. To ensure uninterrupted access to the Office 365  services, you need to update TLS to 1.2 or later version.

How many users I have to migrate?

To ease your work, Microsoft has provided a new report to track users, devices or applications that use TLS 1.0/1.1 or 3DES. You need to be a tenant administrator to generate a TLS deprecation report. The report gives the following information

  • Usernames/IP addresses of the users/devices connecting to Exchange using TLS 1.0/1.1 or 3DES
  • Protocol/cipher used for the connection – this will either be TLS 1.0/1.1 or 3DES
  • The user agent string that is being used for this connection – this gives information about the type of device used for the connection

To download TLS deprecation report directly, you can use this Microsoft’s quick link: https://servicetrust.microsoft.com/AdminPage/TlsDeprecationReport/Download.

Alternatively, to download the TLS deprecation report through Microsoft secure score portal, follow the below steps.

Step1: Login to Microsoft’s secure score: https://securescore.office.com and click on “Score Analyzer”.

TLS_Microsoft_Secure_Score_Analyzer

Step2: Scroll down to ‘All Actions’ . Search for “Remove TLS 1.0/1.1 and 3DES Dependencies” in Completed actions/Incomplete Actions. If you scored 5/5, You have already moved to TLS 1.2. Else, you need to plan for a migration.

Remove_TLS1.0_1.1_3DES_Dependencies

Step3: Click on the ‘Learn more’ button to get details on who is connecting using TLS 1.0/1.1 or 3DES. It will launch a flyout where you can click on ‘Launch now’.

 

Remove_TLS1.0 1.1_3DES_Dependencies

Step4: ‘Launch Now’ will take you to the Secure Trust Portal (http://servicetrust.microsoft.com). Login and then click ‘Download’ to get TLS-Deprecation-Report.csv. Or you can use quick link to download TLS deprecation report

Microsoft Service Trust Portal Login

TLS deprecation report

Step5:  If you have users or devices listed under TLS1.0/1.1, start planning for an upgrade.

TLS 1.0 1.1 and 3DES Usage Report

The report is refreshed daily. If you have made any changes and updated any clients/devices, you would need to wait for 24hrs to see this change in the reports.

If you are reading this blog because you are planning to migrate TLS 1.2, chances are you already read and executed the Microsoft guidance to make your connection guarded. If so, please share your experience/difficulties during TLS 1.2 migration in the comment section to assist other admins.

Note:

  • Office 365 will not retire TLS 1.0/1.1 on February 28,2019, even though the report contains data about TLS 1.0/1.1 and 3DES connection. Issue will occur when you try to connect O365 services using 3DES from this date onwards. TLS 1.0/1.1 connection without the 3DES will not be affected but Office 365 stopped support for TLS 1.0/1.1.
  • If you use TLS 1.2 in Office 365, this doesn’t mean that you must disable TLS 1.0 and 1.1 in your environment. If parts of your environment require TLS 1.0/1.1, you can leave the older protocol versions enabled.
  • To know detail about which versions of TLS supported on Windows, refer: https://blogs.msdn.microsoft.com/kaushal/2011/10/02/support-for-ssltls-protocols-on-windows/
  • To know detail about which versions of TLS supported on browsers, refer: https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers