Migrating from TLS 1.1 to TLS 1.2/1.3: A Complete Guide

Chisom JudeChisom Jude
4 min read

Table of contents

Transport Layer Security (TLS) is a crucial protocol for securing communication over the internet. However, older versions like TLS 1.1 have been deprecated due to security vulnerabilities and a lack of modern cryptographic support. Most major browsers, cloud providers, and security standards now enforce TLS 1.2 or higher.

If your applications still rely on TLS 1.1, it's time to migrate to TLS 1.2 or 1.3 to ensure security, compliance, and compatibility. The easiest way to check is via one of my favorite tool - https://www.ssllabs.com/ssltest/analyze.html, just input your app domain and get a full analysis.

This article covers:

  • How to check if your application still uses TLS 1.1

  • How to migrate applications (from Kubernetes, cloud platforms, VMs, or Load Balancers)

  • Best practices for enforcing TLS 1.2+

Checking TLS Version Across Different Platforms

Before migrating, you need to confirm which applications, services, and network components are still using TLS 1.1. Here’s how to check on different platforms:

1. Kubernetes (K8s) Ingress Controllers

Most Kubernetes ingress controllers (Nginx, Traefik, Istio) support TLS 1.2+ by default but may still allow TLS 1.1 if not configured correctly.

Check TLS Version on

Nginx Ingress

kubectl describe ingress <ingress-name> -n <namespace>

Alternatively, check the ConfigMap:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/ssl-protocols: "TLSv1.1 TLSv1.2 TLSv1.3"

If TLSv1.1 is present, it needs to be removed.

Check TLS Version on Istio Gateway

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
spec:
  servers:
  - port:
      number: 443
      protocol: HTTPS
    tls:
      mode: SIMPLE
      minProtocolVersion: TLSV1_2

Ensure minProtocolVersion is set to TLSV1_2 or higher.

2. Applications on Virtual Machines (VMs)

Linux Servers

Run the following command to check supported TLS versions:

openssl s_client -connect yourserver.com:443 -tls1_1
# or using your server ip
openssl s_client -connect 192.168.1.10:443 -tls1_1

If the connection succeeds, TLS 1.1 is still enabled.

Check OpenSSL version:

openssl version -a

Ensure OpenSSL is updated to a version that supports TLS 1.2+.

Windows Servers

On Windows, check the registry settings:

Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server" -Name Enabled

If Enabled is set to 1, TLS 1.1 is still active.

3. Cloud Load Balancers and API Gateways

AWS ALB/NLB

aws elbv2 describe-listeners --load-balancer-arn <your-lb-arn>

Look for SslPolicy, which should be ELBSecurityPolicy-TLS-1-2-2017-01 or later.

Azure Application Gateway

Run:

Get-AzApplicationGatewaySslPolicy -ApplicationGatewayName <AppGatewayName> -ResourceGroupName <ResourceGroup>

Ensure MinProtocolVersion is TLS1_2 or higher.

Google Cloud Load Balancer

Check TLS settings:

gcloud compute ssl-policies list

Ensure your policy is set to TLS 1.2 or 1.3.

F5 BIG-IP Load Balancer

To check TLS settings on F5 BIG-IP:

  1. Log in to the BIG-IP GUI.

  2. Navigate to Local Traffic → Profiles → SSL → Client.

  3. Open the Client SSL Profile used by your virtual server.

  4. Check the SSL Protocols setting.

To check via CLI:

tmsh list ltm profile client-ssl <profile-name>
#Look for tls1.1 enabled

If tls1.1 is enabled, it needs to be disabled.

4. Mutual TLS (mTLS) & API Calls

For services using mTLS, verify TLS versions with:

kubectl get peerauthentication -n <namespace>

Ensure minTlsVersion is TLSv1_2 or higher.

For API calls, use curl to test TLS versions:

curl -v --tlsv1.1 https://your-api.com

If the call succeeds, the API still allows TLS 1.1.

Steps to Migrate to TLS 1.2/1.3

Once you've identified where TLS 1.1 is still in use, follow these steps to migrate:

1. Upgrade Application Dependencies

  • Ensure your OpenSSL, Java, .NET, or other TLS libraries support TLS 1.2/1.3.

  • Update outdated dependencies that might still rely on TLS 1.1.

2. Update Kubernetes TLS Settings

  • For Nginx Ingress:
nginx.ingress.kubernetes.io/ssl-protocols: "TLSv1.2 TLSv1.3"
  • For Istio Gateway:
spec:
  servers:
  - tls:
      minProtocolVersion: TLSV1_2

3. Enforce TLS 1.2+ on Load Balancers

  • AWS: Set SslPolicy to ELBSecurityPolicy-TLS-1-2-2017-01.

  • Azure: Use TLS1_2 as MinProtocolVersion.

  • GCP: Update SSL policies to support only TLS 1.2+.

4. Configure Web Servers & Reverse Proxies

For Nginx:

ssl_protocols TLSv1.2 TLSv1.3;

For Apache:

SSLProtocol -all +TLSv1.2 +TLSv1.3

5. Verify and Test

  • Use openssl s_client and curl to test connections.

  • Check logs and application behavior after migration.

  • Also, utilize tools like SSL Labs to confirm all SSL/TLS issues

If you’ve got more comments on this, feel free to share them with me.

0
Subscribe to my newsletter

Read articles from Chisom Jude directly inside your inbox. Subscribe to the newsletter, and don't miss out.

DevopsSRESecurityapp security

Written by

Chisom Jude
Chisom Jude

I am experienced Cloud Devops Engineer I blog about Solutions, Cloud and DevOps Projects that boost your portfolio and provide troubleshooting guides on Cloud and DevOps