Duo will no longer support TLS v1.0 or 1.1

Refer to Duo’s official announcement, effective June 30, 2023, Duo will no longer support Transport Layer Security (TLS) versions 1.0 or 1.1 for any Duo product or service. Duo will also no longer support TLS connection requests negotiated by insecure cipher suites.‌

 

After 30 Jun 2023, Duo will only support those secure protocols and strong cipher suites, details can be found in below table:

After 30 June 2023

DUO will no longer support:

DUO will still support:

Cryptographic Protocol
  • TLS 1.0
  • TLS 1.1
  • TLS 1.2 or above
Cryptographic Cipher Suite
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Please check if you are using the following supported endpoints by checking with the following table:

# Duo Application TLS Support Supported and Required Versions Ways to check the supported version
1 Windows
  • Supported Windows operating system (OS) versions will support TLS 1.2 by default. If you are running a supported Windows OS, no action is required.
  • Note that if your operating system was manually changed to disable TLS 1.2 for some reason, connection requests will fail. Please verify your system is properly configured for TLS 1.2 with the suggested steps.
Suggested steps
2 Duo Mobile
  • Supported Duo Mobile applications running on supported OS versions will support TLS 1.2+ by default. If you are running a supported Duo Mobile application on a supported OS, no action is required.
  • Supported Android OS versions: Android 10.0 and greater
  • Supported iOS versions: iOS 14.0 and greater

* Using a mobile device with unsupported versions can still receive DUO push or generate one-time passcode as before; but would be unable to log in DUO-enabled IT services e.g. Microsoft Office 365, CUHK VPN, or CUPIS, etc.

 

Suggested steps
3 Web browsers
  • Common web browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, etc. with their latest version are supporting TLS 1.2.
  • If your browser was manually changed to disable TLS 1.2 for some reason, connection requests will fail. Please verify your browser is properly configured for TLS 1.2 with the suggested steps.  For other browsers, please also make sure they are TLS 1.2 supported.
Suggested steps

 

Please check if you are using the supported endpoints by checking with the following table:

# Duo Application TLS Support Supported and Required Versions Ways to check the supported version
1 Duo Windows Applications
  • Supported Duo Windows integrations running on supported operating system (OS) versions will support TLS 1.2 by default. If you are running a supported Windows integration on a supported OS, no action is required.
  • Note that if your operating system was manually changed to disable TLS 1.2 for some reason, connection requests will fail. Please verify your system is properly configured for TLS 1.2.
Suggested steps
2 Duo Authentication for Windows Logon
  • Windows Logon version 3.0.0.85 and newer supports TLS 1.2 on all Windows operating systems that support TLS 1.2.
  • Should also meet Supported and Required versions.
Suggested steps
3 Duo Mobile
  • Supported Duo Mobile applications running on supported OS versions will support TLS 1.2+ by default. If you are running a supported Duo Mobile application on a supported OS, no action is required.
  • Supported Android versions: Android 10.0 and greater
  • Supported iOS versions: iOS 14.0 and greater
Suggested steps
4 Linux
  • Linux authentication requires Duo Unix (pam_duo or login_duo) 1.10.4 or later and OpenSSL 1.0.1 or later to support TLS 1.2.
Suggested steps
5 Web browsers
  • Common web browsers like Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, etc. with their latest version are supporting TLS 1.2.
  • If your browser was manually changed to disable TLS 1.2 for some reason, connection requests will fail. Please verify your browser is properly configured for TLS 1.2 with the suggested steps.  For other browsers, please also make sure they are TLS 1.2 supported.
Suggested steps