Chef Blogs

Saying Goodbye to Transport Layer Security 1.0 and 1.1 - A Guide to What Comes Next

Adi Shankar | Posted on | Chef | Chef Compliance | DevOps | Infrastructure as Code | Products and Projects

The Internet Moves Forward, So Should Your Security

Security isn’t static. As the digital world evolves, so do the threats that target it.

That’s why we’re making an important change: On September 2, 2025, the Progress Chef solution is officially retiring support for Transport Layer Security (TLS) 1.0 and 1.1 on:

  1. packages.chef.io
  2. omnitruck.chef.io
  3. netlify.chef.io
  4. services.chef.io
  5. artifactory-external.chef.co
  6. licensing.chef.co

This means that any system still using these older security protocols will no longer be able to establish a connection to our infrastructure. If you rely on any of these services, this update affects you.

Why Are We Making This Change?

TLS is the protocol that secures communications across the web. However, versions 1.0 and 1.1 are outdated, vulnerable and no longer considered secure by modern standards. Industry leaders, including the Internet Engineering Task Force (IETF) and major web browsers, have deprecated these versions in favor of TLS 1.2 and 1.3, which offer better encryption, stronger authentication and improved overall security.

Continuing to use outdated TLS versions poses several risks:

  • Known Vulnerabilities – Older TLS versions are susceptible to attacks such as BEAST, POODLE and DROWN, which can compromise encrypted communications.
  • Weak Encryption – TLS 1.0 and 1.1 rely on outdated encryption methods that do not meet current security standards, making data more vulnerable to interception.
  • Compliance Issues – Many regulatory bodies require the use of up-to-date security protocols. Using deprecated TLS versions may lead to non-compliance with industry standards, affecting audits and certifications.

By confirming that only modern TLS versions are supported, we’re actively strengthening the security posture of your infrastructure and maintaining compliance with industry standards.

What This Means for You

If your infrastructure is still using TLS 1.0 or 1.1, you will not be able to connect to the services listed above after September 2, 2025. To avoid service disruptions, you’ll need to verify that your systems are configured to use TLS 1.2 or 1.3.

We strongly encourage updating your systems before the cutoff date to help prevent any interruptions in your workflows. The good news? Updating your TLS version is a simple but crucial step that will enhance the security and efficiency of your communications.

A Look at the Risks of Outdated TLS Versions

Legacy TLS versions pose multiple security risks, including:

  • Man-in-the-Middle (MITM) attacks – Attackers can intercept and manipulate data between a client and a server.
  • Weak encryption – TLS 1.0 and 1.1 rely on outdated encryption algorithms that are susceptible to compromise.
  • Compliance risks – Many regulatory bodies require modern encryption standards for data protection and compliance.

By transitioning to TLS 1.2 and 1.3, you move towards more compliant, secure and reliable connections across all your systems.

How to Stay Connected

Upgrading to TLS 1.2 or 1.3 is straightforward. Here’s what you need to do:

  • Check your TLS configuration – Confirm if your infrastructure supports TLS 1.2 or 1.3.
  • Update any outdated scripts or automation tools – If they still rely on TLS 1.0 or 1.1, update them to work with modern protocols.
  • Verify your OS and software versions – Some older versions of operating systems and software may need updates to enable TLS 1.2+ support.
  • Test your systems – Run tests to confirm your infrastructure correctly handles TLS 1.2 and 1.3 connections.

Need Help? We’ve Got You Covered.

We know changes like this can feel like a hassle, and you’ve got questions—or might have questions. So, we’ve compiled a few common ones to make things easier:

  1. How do I check if my application/toolset is still communicating over TLS 1.0 or 1.1?

    Use a network traffic analyzer like Wireshark to inspect the SSL handshake. Apply the following filters:
  • TLS 1.0: ssl.handshake.version==0x0301  
  • TLS 1.1: ssl.handshake.version==0x0302 
  • TLS 1.2: ssl.handshake.version==0x0303 
  • TLS 1.3: ssl.handshake.version==0x0304 
  1. My application uses OpenSSL. How can I check supported TLS versions and test connectivity?
    To check supported protocols:
  • Run: openssl s_client args and look for -tls* flags

    To test specific versions:
  • TLS 1.0: openssl s_client -connect <domain>:443 -tls1
  • TLS 1.1: openssl s_client -connect <domain>:443 -tls1_1
  • TLS 1.2: openssl s_client -connect <domain>:443 -tls1_2
  • TLS 1.3: openssl s_client -connect <domain>:443 -tls1_3
  1. Are there any workarounds if my environment isn’t ready yet?

  • If using OpenSSL, upgrade to at least version 1.0.1 (TLS 1.2 support)

  • If your app handles handshakes manually, upgrade to the latest version supported by your OS and verify with logs or Wireshark

  • If curl fits your automation needs, verify if its version 7.19 or newer. Example test commands:

    o TLS 1.0: curl -v --tls-max 1.0 --url "https://<url>"
    o TLS 1.1: curl -v --tls-max 1.1 --url "https://<url>"
    o TLS 1.2: curl -v --tls-max 1.2 --url "https://<url>"
    o TLS 1.3: curl -v --tls-max 1.3 --url "https://<url>"

  • Alternatively, download packages on a modern machine and share with older systems via file share or internal repository

  1. I’m already seeing errors. Could they be due to the TLS change?
  • Check application logs for **SSL connect/handshake errors
  • Use Wireshark or similar tools to capture traffic and confirm handshake failures

If you have additional questions, your Customer Success Manager is available to help, or you can submit a support ticket through our portal. We strongly encourage testing your systems in advance to avoid last-minute issues.

What If You Do Nothing?

If you take no action before September 2, 2025, any request from your systems using TLS 1.0 or 1.1 will fail. This means you won’t be able to connect to the services listed above, potentially impacting your workflows, automated processes and security compliance. We highly recommend making this upgrade a priority.

Make the Switch Today

Security is a continuous journey, and staying up to date with best practices is essential to protecting your data. Make sure you’re ready before September 2, 2025, to avoid disruptions. Thank you for working with us to maintain a secure and reliable ecosystem.

If you have any concerns or need further guidance, reach out now—don’t wait until the last moment.

Let’s keep things secure together.

Tags

Chef Packages Compliance Cybersecurity DevOps Encryption OpenSSL Secure Communication Security Best Practices Security Protocols TLS TLS 1.2 TLS 1.3 Transport Layer Security