Articles in this section

Supported Transport Layer Security (TLS) versions

What is Transport Layer Security (TLS)?

TLS is a set of security protocols that provide communication security over networks. The Internet Engineering Task Force (IETF) is the regulatory organization that defines, updates, and releases TLS standards. TLS 1.3 is the latest version.

What TLS versions are supported?

The Celigo platform supports TLS 1.2 and 1.3.

Important

After September 30, 2025, the Celigo platform will no longer support TLS 1.0 and TLS 1.1. Verify that all your custom integrations are updated to use endpoints that are TLS 1.2 or higher by September 30, 2025.

Why isn't TLS 1.0 or 1.1 considered secure?

TLS 1.0 and 1.1 are susceptible to security vulnerabilities because both use weak hash algorithms (e.g. SHA-1, MD5) and have inadequate support for modern ciphers. Legacy ciphers use weak encryption, are incompatible with compliance standards (PCI-DSS, NIST), and are vulnerable to known attacks like BEAST, POODLE, and SWEET32.

The Celigo platform does NOT support the following deprecated legacy ciphers.

  • RC4

  • 3DES

  • DES

  • EXPORT and NULL ciphers

  • MD5 and SHA1-based suites

  • Anonymous cipher suites (e.g., ADH)

Which ciphers are supported?

The Celigo platform supports modern, secure ciphers to be used with TLS 1.2 and TLS 1.3:

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-CHACHA20-POLY1305

  • TLS 1.3 default ciphers (non-configurable):

    • TLS_AES_128_GCM_SHA256

    • TLS_AES_256_GCM_SHA384

    • TLS_CHACHA20_POLY1305_SHA256

How do I audit the TLS and cipher configuration of an endpoint?

If you are connecting to an endpoint that doesn't provide documentation that identifies the TLS version, you can use sslyze (a Python-based tool that can scan servers for SSL/TLS configuration).

Common errors for domains using outdated TLS versions and ciphers

  • EPROTO (final_renegotiate:unsafe legacy renegotiation disabled)

  • ERR_CRYPTO_UNSUPPORTED_OPERATION

  • SSL_ERROR_UNSUPPORTED_VERSION

  • ERR_SSL_VERSION_OR_CIPHER_MISMATCH

  • handshake_failure messages in logs

  • Clients unable to connect to endpoints due to unsupported cipher negotiation

  • API gateway failures when interfacing with third-party systems still using deprecated protocols