TLS 1.0 Deprecation for Qualys Cloud Platform
Last updated on: September 6, 2020
Qualys will require all connections to our Cloud Platform to use TLS 1.1 or higher beginning April 2nd 2018, in order to align with industry best practices for security and data integrity.
Please ensure that you are using TLSv1.1+, or your connectivity to the Cloud Platform will be impacted. This change will affect all connections to the Cloud Platform, this includes UIs, APIs, Scanner Appliances, and Cloud Agents.
Dates for each Shared Cloud Platform are listed in the table below. If you are hosted on a Private Cloud Platform (PCP), this change will be coordinated directly with our Security Operations team.
Platform Name | User Interface | API | Scanner Appliance | Cloud Agents |
US Shared 1 | April 17, 2018 | April 17, 2018 | April 17, 2018 | May 17, 2018 |
US Shared 2 | April 12, 2018 | April 12, 2018 | April 12, 2018 | May 12, 2018 |
US Shared 3 | April 2, 2018 | April 2, 2018 | April 2, 2018 | May 2, 2018 |
EU Shared 1 | April 10, 2018 | April 10, 2018 | April 10, 2018 | May 10, 2018 |
EU Shared 2 | April 4, 2018 | April 4, 2018 | April 4, 2018 | May 4, 2018 |
IN Shared 1 | April 9, 2018 | April 9, 2018 | April 9, 2018 | May 9, 2018 |
Any legacy software that does not support TLSv1.1+ will require updating prior to this change. If TLSv1.1+ is not supported and the application is not updated, the application may cease to function on the date mentioned in the table above. Please work with the appropriate vendor to confirm if TLSv1.1+ is natively supported or if a system update is required prior to the change-over date.
For Cloud Agent deployments
Cloud Agent Windows utilizes cryptographic protocol support provided by the Windows operating system. Older Windows operating system (including Windows XP, Embedded Standard, Server 2003/SP2, Server 2008/SP1/SP2, and potentially others if explicitly configured) do not have TLS 1.1+ support on the operating system for Cloud Agent to utilize.
(Cloud Agent on Windows 7, 8/8.1, 10, Server 2008 R2, 2012, 2016 and Linux, Mac, and AIX operating systems support TLS 1.1+ and are not impacted, though network proxies may be stepping-down TLS 1.1+ to 1.0 inadvertently.)
Customers can utilize forward proxy servers to “step-up” the version of TLS from 1.0 to 1.1+ to continue running Cloud Agent Windows on older Microsoft operating systems that only have support for TLS 1.0.
For those cases where a proxy server cannot be utilized, customers can use the Qualys network scanner to assess the affected system until the conversions have been implemented.
This same notification is also published under TLS 1.0 Deprecation information in the Support KnowledgeBase.
Could you please expand more on what this means for the Scanner Appliances? Since customers are not responsible for patching physical or virtual appliances how will they be updated to support TLSv1.1+ connections? It’d like to have more information on the appliances please.
– Colton