Merge pull request #248533 from shpathak-msft/tls-retirement

American-Dipper · web-flow · commit 7762135960c0 · 2023-09-12T19:46:11.000-07:00
Tls retirement
diff --git a/articles/azure-cache-for-redis/cache-remove-tls-10-11.md b/articles/azure-cache-for-redis/cache-remove-tls-10-11.md
@@ -4,52 +4,49 @@ description: Learn how to remove TLS 1.0 and 1.1 from your application when comm
 author: flang-msft
 ms.service: cache
 ms.topic: conceptual
-ms.date: 07/13/2023
+ms.date: 09/12/2023
 ms.author: franlanglois
 ms.devlang: csharp, golang, java, javascript, php, python
 
 ---
 
 # Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis
 
-There's an industry-wide push toward the exclusive use of Transport Layer Security (TLS) version 1.2 or later. TLS versions 1.0 and 1.1 are known to be susceptible to attacks such as BEAST and POODLE, and to have other Common Vulnerabilities and Exposures (CVE) weaknesses. They also don't support the modern encryption methods and cipher suites recommended by Payment Card Industry (PCI) compliance standards. This [TLS security blog](https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/) explains some of these vulnerabilities in more detail.
+To meet the industry-wide push toward the exclusive use of Transport Layer Security (TLS) version 1.2 or later, Azure Cache for Redis is moving toward requiring the use of the TLS 1.2 in October, 2024. TLS versions 1.0 and 1.1 are known to be susceptible to attacks such as BEAST and POODLE, and to have other Common Vulnerabilities and Exposures (CVE) weaknesses.
 
-As a part of this effort, we'll be making the following changes to Azure Cache for Redis:
+TLS versions 1.0 and 1.1 also don't support the modern encryption methods and cipher suites recommended by Payment Card Industry (PCI) compliance standards. This [TLS security blog](https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/) explains some of these vulnerabilities in more detail.
 
-* **Phase 1:** We'll configure the default minimum TLS version to be 1.2 for newly created cache instances (previously, it was TLS 1.0). Existing cache instances won't be updated at this point. You can still use the Azure portal or other management APIs to [change the minimum TLS version](cache-configure.md#access-ports) to 1.0 or 1.1 for backward compatibility.
-* **Phase 2:** We'll stop supporting TLS 1.1 and TLS 1.0. After this change, your application must use TLS 1.2 or later to communicate with your cache. The Azure Cache for Redis service is expected to be available while we migrate it to support only TLS 1.2 or later.
+> [!IMPORTANT]
+> On October 1, 2024, the TLS 1.2 requirement will be enforced.
+>
+>
+
+As a part of this effort, you can expect the following changes to Azure Cache for Redis:
+
+- _Phase 1_: Azure Cache for Redis changes the default minimum TLS version to TLS 1.2 for newly created cache instances. Previously, it was TLS 1.0. Existing cache instances won't be updated at this point. You can still use the Azure portal or other management APIs to [change the minimum TLS version](cache-configure.md#access-ports) to 1.0 or 1.1 for backward compatibility.
+- _Phase 2_: Azure Cache for Redis stops supporting TLS 1.1 and TLS 1.0 starting August 1,2024. After this change, your application must use TLS 1.2 or later to communicate with your cache. The Azure Cache for Redis service is expected to be available while it is migrated to support only TLS 1.2 or later. Read further sections to know how to determine if your applications are affected.
 
-  > [!WARNING]
-  > Phase 2 is postponed because of COVID-19. We strongly recommend that you begin planning for this change now and proactively update clients to support TLS 1.2 or later.
-  > 
+| Date    | Description |
+|-------- |-------------|
+| September 2023 | TLS 1.0/1.1 retirement announcement |
+| March 1, 2024 | Beginning March 1, 2024, you will not be able to set the Minimum TLS version for any cache to 1.0 or 1.1. 
+| September 30, 2024 | Ensure that all your applications are connecting to Azure Cache for Redis using TLS 1.2 and Minimum TLS version on your cache settings is set to 1.2
+| October 1, 2024 | Minimum TLS version for all cache instances is updated to 1.2. This means Azure Cache for Redis instances will reject connections using TLS 1.0 or 1.1.
   
   > [!IMPORTANT]
-  > The content in this article does not apply to Azure Cache for Redis Enterprise/Enterprise Flash as the Enterprise tiers support TLS 1.2 only.
+  > The content in this article does not apply to Azure Cache for Redis Enterprise/Enterprise Flash because the Enterprise tiers only support TLS 1.2.
   >
 
-As part of this change, we'll also remove support for older cypher suites that aren't secure. Our supported cypher suites are restricted to the following suites when the cache is configured with a minimum of TLS 1.2:
+As part of this change, Azure Cache for Redis removes support for older cipher suites that aren't secure. Supported cipher suites are restricted to the following suites when the cache is configured with a minimum of TLS 1.2:
 
-* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
-* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
+- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
+- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
 
-This article provides general guidance about how to detect dependencies on these earlier TLS versions and remove them from your application.
-
-The dates when these changes take effect are:
-
-| Cloud                | Phase 1 Start Date | Phase 2 Start Date         |
-|----------------------|--------------------|----------------------------|
-| Azure (global)       |  January 13, 2020  | Postponed because of COVID-19  |
-| Azure Government     |  March 13, 2020    | Postponed because of COVID-19  |
-| Azure Germany        |  March 13, 2020    | Postponed because of COVID-19  |
-| Microsoft Azure operated by 21Vianet |  March 13, 2020    | Postponed because of COVID-19  |
-
-> [!NOTE]
-> Phase 2 is postponed because of COVID-19. This article will be updated when specific dates are set.
->
+The following sections provide guidance about how to detect dependencies on these earlier TLS versions and remove them from your application.
 
 ## Check whether your application is already compliant
 
-You can find out whether your application works with TLS 1.2 by setting the **Minimum TLS version** value to TLS 1.2 on a test or staging cache, then running tests. The **Minimum TLS version** setting is in the [Advanced settings](cache-configure.md#advanced-settings) of your cache instance in the Azure portal.  If the application continues to function as expected after this change, it's probably compliant. You might need to configure the Redis client library used by your application to enable TLS 1.2 to connect to Azure Cache for Redis.
+You can find out whether your application works with TLS 1.2 by setting the **Minimum TLS version** value to TLS 1.2 on a test or staging cache, then running tests. The **Minimum TLS version** setting is in the [Advanced settings](cache-configure.md#advanced-settings) of your cache instance in the Azure portal.  If the application continues to function as expected after this change, it's probably compliant. You also need to configure the Redis client library used by your application to enable TLS 1.2 to connect to Azure Cache for Redis.
 
 ## Configure your application to use TLS 1.2
 
@@ -59,25 +56,24 @@ Most applications use Redis client libraries to handle communication with their
 
 Redis .NET clients use the earliest TLS version by default on .NET Framework 4.5.2 or earlier, and use the latest TLS version on .NET Framework 4.6 or later. If you're using an older version of .NET Framework, enable TLS 1.2 manually:
 
-* **StackExchange.Redis:** Set `ssl=true` and `sslProtocols=tls12` in the connection string.
-* **ServiceStack.Redis:** Follow the [ServiceStack.Redis](https://github.com/ServiceStack/ServiceStack.Redis#servicestackredis-ssl-support) instructions and requires ServiceStack.Redis v5.6 at a minimum.
+- _StackExchange.Redis_: Set `ssl=true` and `sslProtocols=tls12` in the connection string.
+- _ServiceStack.Redis_: Follow the [ServiceStack.Redis](https://github.com/ServiceStack/ServiceStack.Redis#servicestackredis-ssl-support) instructions and requires ServiceStack.Redis v5.6 at a minimum.
 
 ### .NET Core
 
-Redis .NET Core clients default to the OS default TLS version, which depends on the OS itself. 
+Redis .NET Core clients default to the OS default TLS version, which depends on the OS itself.
 
 Depending on the OS version and any patches that have been applied, the effective default TLS version can vary. For more information, see [here](/dotnet/framework/network-programming/#support-for-tls-12).
 
 However, if you're using an old OS or just want to be sure, we recommend configuring the preferred TLS version manually through the client.
 
-
 ### Java
 
 Redis Java clients use TLS 1.0 on Java version 6 or earlier. Jedis, Lettuce, and Redisson can't connect to Azure Cache for Redis if TLS 1.0 is disabled on the cache. Upgrade your Java framework to use new TLS versions.
 
 For Java 7, Redis clients don't use TLS 1.2 by default but can be configured for it. Jedis allows you to specify the underlying TLS settings with the following code snippet:
 
-``` Java
+```java
 SSLSocketFactory sslSocketFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
 SSLParameters sslParameters = new SSLParameters();
 sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
@@ -91,7 +87,7 @@ shardInfo.setPassword("cachePassword");
 Jedis jedis = new Jedis(shardInfo);
 ```
 
-The Lettuce and Redisson clients don't yet support specifying the TLS version. They'll break if the cache accepts only TLS 1.2 connections. Fixes for these clients are being reviewed, so check with those packages for an updated version with this support.
+The Lettuce and Redisson clients don't yet support specifying the TLS version. They break if the cache accepts only TLS 1.2 connections. Fixes for these clients are being reviewed, so check with those packages for an updated version with this support.
 
 In Java 8, TLS 1.2 is used by default and shouldn't require updates to your client configuration in most cases. To be safe, test your application.
 
@@ -102,10 +98,10 @@ Node Redis and IORedis use TLS 1.2 by default.
 ### PHP
 
 #### Predis
- 
-* Versions earlier than PHP 7: Predis supports only TLS 1.0. These versions don't work with TLS 1.2; you must upgrade to use TLS 1.2.
- 
-* PHP 7.0 to PHP 7.2.1: Predis uses only TLS 1.0 or 1.1 by default. You can use the following workaround to use TLS 1.2. Specify TLS 1.2 when you create the client instance:
+
+- Versions earlier than PHP 7: Predis supports only TLS 1.0. These versions don't work with TLS 1.2; you must upgrade to use TLS 1.2.
+
+- PHP 7.0 to PHP 7.2.1: Predis uses only TLS 1.0 or 1.1 by default. You can use the following workaround to use TLS 1.2. Specify TLS 1.2 when you create the client instance:
 
   ``` PHP
   $redis=newPredis\Client([
@@ -119,7 +115,7 @@ Node Redis and IORedis use TLS 1.2 by default.
   ]);
   ```
 
-* PHP 7.3 and later versions: Predis uses the latest TLS version.
+- PHP 7.3 and later versions: Predis uses the latest TLS version.
 
 #### PhpRedis
 
diff --git a/articles/azure-cache-for-redis/cache-whats-new.md b/articles/azure-cache-for-redis/cache-whats-new.md
@@ -7,16 +7,28 @@ ms.custom: references_regions
 ms.author: franlanglois
 ms.service: cache
 ms.topic: conceptual
-ms.date: 05/31/2023
-
+ms.date: 09/12/2023
 
 ---
 
 # What's New in Azure Cache for Redis
 
+## September 2023
+
+### Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis
+
+To meet the industry-wide push toward the exclusive use of Transport Layer Security (TLS) version 1.2 or later, Azure Cache for Redis is moving toward requiring the use of the TLS 1.2 in October, 2024.
+
+As a part of this effort, you can expect the following changes to Azure Cache for Redis:
+
+- _Phase 1_: Azure Cache for Redis changes the default minimum TLS version to be 1.2 for newly created cache instances. Previously, it was TLS 1.0. Existing cache instances won't be updated at this point. You can still use the Azure portal or other management APIs to [change the minimum TLS version](cache-configure.md#access-ports) to 1.0 or 1.1 for backward compatibility.
+- _Phase 2_: Azure Cache for Redis stops supporting TLS 1.1 and TLS 1.0 starting October 1, 2024. After this change, your application must use TLS 1.2 or later to communicate with your cache. The Azure Cache for Redis service is expected to be available while we migrate it to support only TLS 1.2 or later.
+
+For more information, see [Remove TLS 1.0 and 1.1 from use with Azure Cache for Redis](cache-remove-tls-10-11.md).
+
 ## June 2023
 
-Azure Active Directory for authentication and role-based access control are available across regions that support Azure Cache for Redis.
+Azure Active Directory for authentication and role-based access control is available across regions that support Azure Cache for Redis.
 
 ## May 2023
 
@@ -36,7 +48,7 @@ For more information, see [Configure clustering for Azure Cache for Redis instan
 
 ### 99th percentile latency metric (preview)
 
-A new metric is available to track the worst-case latency of server-side commands in Azure Cache for Redis instances. Latency is measured by using `PING` commands and tracking response times. This metric can be used to track the health of your cache instance and to see if long-running commands are compromising latency performance. 
+A new metric is available to track the worst-case latency of server-side commands in Azure Cache for Redis instances. Latency is measured by using `PING` commands and tracking response times. This metric can be used to track the health of your cache instance and to see if long-running commands are compromising latency performance.
 
 For more information, see [Monitor Azure Cache for Redis](cache-how-to-monitor.md#list-of-metrics).
 
