Deprecation and Removal of TLS 1.0 / 1.1 Support from wolfSSL

As part of our quality control and review process, wolfSSL is planning removal of obsolete and deprecated TLS protocol support from our mainline TLS library. TLS 1.0 and 1.1 were introduced in 1999 and 2006 respectively, and both versions were formally deprecated by RFC 8996 in 2021. As noted in the deprecation RFC, TLS 1.0 requires support for an obsolete and insecure cipher suite based on 3DES, an algorithm that dates to 1981. Moreover, the security guarantees of both version 1.0 and version 1.1 depend on the SHA-1 algorithm introduced in 1995, already considered vulnerable in 2005, and formally retired by NIST in 2022. TLS 1.0 and 1.1 have been disabled by default in wolfSSL since release 3.13.0 (2017) and 5.6.6 (2023) respectively.

Modern TLS implementations use either TLS 1.2 or 1.3, both of which avoid dependence on obsolete and deprecated algorithms and mechanisms. Version 1.2 was introduced in 2008, is currently considered secure when configured properly, and is supported by all modern TLS implementations. Version 1.3 is the latest version, finalized in 2018, with the highest inherent security, supported by wolfSSL since release 3.11.1 (2017).

While support for obsolete and insecure protocols is useful in some specialized analytic and forensic applications, we believe that continuation of this support in our mainline products does more harm than good, due to the associated complexity, and the inherent risk of misconfiguration, with potentially critical implications for system security.

While we have not yet determined a timeline for removal of code in wolfSSL specific to TLS 1.0 and 1.1, all API support for them should be considered deprecated, consistent with RFC 8996.

If you have questions about any of the above, please contact us at facts@wolfSSL.com or +1 425 245 8247.

Download wolfSSL Now