TLS 1.0/1.1 has been disabled for all inbound connections on Feb. 2nd, 2023

Security Notifications
, , , ,
#1

In order to continue our commitment to security, and to respond to evolving technology and regulatory standards for Transport Layer Security (TLS), New Relic has updated its TLS requirements for all endpoints to a minimum version of TLS 1.2 or above effective February 2, 2023 at 16:00 UTC .

  • Customers who are already using TLS 1.2 or later have not been impacted by this change.

What’s changed?

We now require TLS 1.2 or above for all inbound connections effective February 2, 2023 at 16:00 UTC. This means customers using TLS versions 1.0 and 1.1 must update to TLS 1.2 or later to be able to connect to New Relic. This change affects all regions.

How am I affected?

If you are one of the customers still using TLS 1.0 or 1.1 you are no longer able to send data to New Relic after the change took effect. This affected your ability to continue using New Relic to monitor your applications.

In order to connect to New Relic you must upgrade to an operating system and/or TLS stack that supports TLS 1.2 or above.

Affected operating systems include, but are not limited to:

TLS stacks reliant on the following may also have been affected:

Customers accessing http://api.newrelic.com with clients not configured to follow redirects may also have been impacted by this change. You should ensure that your clients specify the https:// scheme (as opposed to http://), or that they are configured to follow redirects, such as by using the -L flag when using cURL.

Additionally, customers who have deployed Browser agents prior to version 998 (released in 2016) on pages served over unencrypted HTTP may no longer have clients accessing these pages report data to New Relic.

Also important to note that any references to download.newrelic.com (aka yum.newrelic.com / apt.newrelic.com) sites should also be updated to use a HTTPS:// url. In an effort to help mediate this, a transition mechanism has been implemented to redirect to a secure version of the site from http:// to https://.

Why have we done this?

Transport Layer Security (TLS) is a protocol used to establish secure, encrypted connections. It is the successor to SSL (Secure Socket Layer), although the acronym ‘SSL’ retains some colloquial usage as a synonym for TLS.

TLS versions 1.2 and 1.3 are the current industry standards, and include protections that aren’t present in earlier versions of the protocol. TLS also has a history of downgrade attacks, where an attacker can force a client to use a less-secure protocol version if it is supported by the server.

Moving to TLS 1.2 or above isn’t simply the next step for Transport Layer Security; it’s an actual solution to serious security threats. By removing support for the less-secure versions of the protocol, we can help ensure that downgrade attacks aren’t possible, and that data sent over these connections cannot be intercepted or modified by an attacker.

Concerns with earlier versions of TLS are shared within the industry, with the Chrome, Edge , Firefox, Internet Explorer , and Safari browsers all requiring TLS 1.2 or greater beginning in early 2020. Furthermore, the PCI DSS and NIST frameworks no longer consider the use of TLS versions prior to 1.2 to be compliant.

How do I know if I’m affected

Once TLS 1.0/1.1 are disabled, New Relic’s ingest tier can no longer accept connection requests via the disabled protocol versions, and thus cannot generate telemetry about those failing connections. If an application has stopped reporting, check the application agent logs for connection errors to determine whether they are related to TLS.

An example error for a Java application is:

2023-01-18T21:43:33,974+0000 [1 36] 
com.newrelic.agent.rpm.RPMConnectionServiceImpl INFO: Failed to connect to collector.newrelic.com:443 for hello-world-java: 
javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version

An example error for .NET is:

2023-01-18T21:43:33,896 NewRelic ERROR: [pid: xxxx, tid: xx] Unable to 
connect to the New Relic service at collector.newrelic.com:443 : 
System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
     at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)
     …

The following information refers to telemetry available leading up to the TLS EOL.

Although the NrIntegrationError events are no longer created after the EOL, you can still query them for any period of time up until 2023-02-02 18:00:00 UTC.

This can be done to determine applications environments that needed to be updated for TLSv1.2 at the time the older protocols were disabled.

Note that these events are subject to the default data retention period for custom events for your account, so be sure to run the query before March 1st, 2023 for accounts with 30 days of data retention.

APM Agents

The query for APM applications TLS versions that are part of the EOL. Run this in the parent account:

FROM NrIntegrationError SELECT count(*) WHERE category = 'Deprecated TLS Version' 
**SINCE '2023-01-30 00:00:00 UTC' UNTIL '2023-02-02 18:00:00 UTC'** LIMIT MAX FACET appName, appId, tlsVersion

You can check out this quick tutorial video to learn how to view the TLS version used by the New Relic agent. https://youtu.be/SQijAjROeXg

TLS Video

Event API

The query for Event API ingest TLS versions that are part of the EOL. Run this in each account:

FROM NrIntegrationError SELECT * WHERE newRelicFeature = 'Event API' 
AND message LIKE 'Event sent via deprecated TLS%' LIMIT MAX

Note that this query can be modified to facet by unique API key prefixes - for example:

FROM NrIntegrationError SELECT count(*) WHERE newRelicFeature = 'Event API' 
AND message LIKE 'Event sent via deprecated TLS%' LIMIT MAX FACET apiKeyPrefix

How do I upgrade to TLS 1.2 or above

There is no single button or process to ensure TLS 1.2 compatibility. Depending on the platform and software solutions currently in use, the process may be extremely simple or very complex. If you have not done it yet, we advise you to quickly work closely with your IT and security teams on creating a migration plan, as soon as possible.

Alternative temporary workaround - Customer Proxy

With the Feb 2, 2023 deadline passed many organizations may find themselves in a bind to complete their transition to TLS 1.2 connections in a timely fashion. Some have discussed the possibility of creating a proxy to “convert” old connections to TLS1.2 connections.

The proxy should be a measure of last resort as to not put the organization’s connectivity security at risk and before pursuing a proxy solution organizations need to consider and exhaust all other options first. It’s important to understand that intercepting TLS traffic is not a service method that is recommended, endorsed, or warranted by New Relic and is to be done at customer’s own discretion and risk.

New Relic sales, customer adoption, customer success teams have access to recommended steps for customers to consider when adopting a proxy translation approach. Please seek your account teams for further information.

For more information please check out the EXPERIMENTAL GitHub Repository: https://github.com/newrelic-experimental/tls-proxy/blob/main/README.md

Need support?

For more information about this topic check out our documentation, reach out to your account team, or contact New Relic Support.

9 Likes
Move from TLSv1.0 and TLSv1.1 to TLSv1.2 for data ingestion
Update: TLS 1.2
TLS 1.0 > 1.2 Actions Required
Transport Layer Security (TLS) 1.2
My new topic TLS Version
[Python] New Relic integration with Bjoern server in Django application
[Python] Accessing environment variables inside INI config files
.NET agent: The client and server cannot communicate, no common algorithm error
Getting GoAnywhere platform metrics and display in New Relic
Azure Databricks Integration support for New Relic
Export Azure Application Insights data into New Relic
Publish APM metric data to StatusPage
Help me understand transactions better
Unable to disable Browser agent from Heroku integration
Changing the LOG_PARSER to CRI doesn't work
AWS Lambda - Node.js: Not considered an APM application and lacks a lot of data
Need to fetch logs from Amazon EC2 to New Relic. Is this possible?
Unable to send metrics and events using LogAgent
Grok filter for multiline message
How is data for each bucket in a distribution metric stored?
[.Net] Error with .NET Agent for IIS
[Python] Unable to add new attributes Python API
[PHP] I feel like my brain is broken
Violated Low Application Throughput
Google AMP pages for browser monitoring
[Ruby] Error when clicking individual server in Ruby VMs tab
Errors on New Relic JS script for a SPA React app browsing monitoring
“Agent is out of date” warning won’t go away after upgrading Python agent
Nr-traffic-filter in synthetics script logs
SOC 2 Type II - latest report
Unable to edit existing alert condition
Unable to configure the notification channel in SSL certification monitor
How to get latest agent version of browser applications?
TLS 1.0 Deprecation
Python Agent using Single Quote for JSON logs
Blank Log UI rows
The New Relic scripts are not allowing the LazyLoadJs module
What config options do you need to enable to the bf_cache?
Flutter Agent Http Wrapping Redirect Issue
Can't add or edit anomaly detection configurations
AWS Certificate Manager metrics in NR datastream?
Scripted browser: $urlFilter.addToDenyList is not a function!
Create new deployment fails with profile set
Is there anyway in NR we can take memory dump on EKS workloads?
We need a w9 form from New relic. How can we get one?
Dashboards as described in "Monitor uptime with React Native" video
Is there a way to add service map in New Relic dashboard?
NR alert condition for 5xx error percentage
I cannot create a new policy for alerts when created with Heroku
Create two different notification templates for activated and closed issue
Lost access to databases & transaction pages
[Ruby] Error when clicking individual server in Ruby VMs tab
[PHP] New Relic update for PHP 8.1 fails with no meaningful reason
[PHP] When disabling NR agent, ioncube (or something else) stops working
New Relic JS error: Uncaught TypeError: n.harvest.stopTimer is not a function
Azure monitoring scale set
Tax Residency Certificate
Export CSV with last 7 days records
Collector Endpoint Not Reachabe Error
AGAIN....APM showing error fetching data
Whats the process for certificate renewal for CN: *.eu01.nr-data.net ,
Synthetics Step Monitor and iframes
Hello i am trying to query specific errors from my logic apps
How can I track all method calls in .NET Lambda (using API Gateway) application?
Will NewRelic Logging inject/propagate trace-id end to end
How to use GraphQL to find the list of hostnames for servers
Turn on/off apm agent logging on run time
How To Connect New Relic To SonicWall Logs
Error: 422 response returned: There was an error
Perform function on Facet'd value
In activity stream, what is the count means in activity?
How to handle anomaly detection for weekly patterns?
Json log parsing for array of objects with same name
Need to change account owner
Switch to new pricing
Where is my subscription?
Migrate NR to a direct account, instead of Heroku managed
Unable to pay using a credit card
Plan and Usage data unavailable (as are logs)
AWS resourse discovery
API level service map not entities level
No integration binaries included in the installer package for Arm and Arm64
SQL Agent Not Working
[PHP] ARM 64 Amazon Linux 2 Graviton guided install or manual?
[PHP] Disable deny new metrics rule
[PHP] Amazon Linux ARM64 server with PHP7.4
[PHP] MongoDB no queries showing
[Go] Inconsistency in transaction data go-agent V3
To have blob of log message which is encoded in base64 in String format in NR
Infrastructure agent and logs\docker logs
Does NR list all of my logging sources within the portal?
Getting "Failed to start application" error when opening "Alerts & AI"
I keep on seeing the "Update your account" screen
Can not navigate to plans or to Database monitoring
Oops! Something went wrong. when I run User preferences
Cancel subscription
"You are over your full platform user limit" blocking me from doing ANYTHING
Unexpected high bill: ‘Tracing’ showed up out of nowhere and the over the limit
I need to remove credit card
Lost admin access to our accounts
Not able to login with SSO
New Relic EU account agents sends data to Japan
[Ruby] Bug with Ruby agent update
Transaction data not coming for a service
[PHP] I can't install New Relic on Contabo VPS
Creating a custom metric with attributes with the php apm
How to monitor site running from inside a docker container
Browser javascript throwing `__webpack_modules__[e] is not a function`
Browser js requires unsafe-eval in the CSP?
Google AMP pages for browser monitoring
Browser monitoring data sparse or missing
Deleted synthetic monitor
Monitoring firewall IP
Ansible role for Automating Synthetics alerts?
Ingest Postgresql table data to New relic
Dashboard Log Table: "Open Logs UI" Button and Returned Rows
Export dashboard in CSV with proper timestamp
Custom alert email body for synthetic monitor failures
Newrelic_nrql_alert_condition example for a simple synthetics alert condition?
Switch account owner from @herokumanager.com
AWS Activate Credits Not Showing
Invalid Account Id not recognized
How to know my last month GB i used?
Streaming data from NewRelic to External Applications
[Node] Instrumented (layer) Lambda can't access recordCustomEvent
Why is Rebooting Required After Changes to User Agent Application Settings?
Why am I getting hit with an upgrade message for overage?
Why I cannot see logs on mobile app logs UI subsection?
Can we install NewRelic agent on SUSE11 server
[Go] Inconsistency in transaction data go-agent V3
[Go] Remove Deny Metrics Rule
[PHP] MongoDB no queries showing
[Node] Deeper visibility is not available in Node.js agent trace details
[PHP] Can’t remove not reporting PHP APM
[Java] Current javaagent does not work with WebSphere 8
[Python] Cannot initialize New Relic Agent for BentoML
[PHP] Laravel routes show as "unknown" after agent update
[.Net] Getting Unauthorized with message in log - .Net WPF Desktop Application
Transactions slowest list showing wrong numbers
Metrics Data for OpenTelemetry
Sentry integration
Percentile graphs for APM
Update: TLS 1.2
Alerts workflow is no longer connected to Policies
No New Relic data since 03:00 GMT
Not able to access Dashboards
Scrolling causes log UI to error out
No more data displayed on the New Relic dashboard
Issue with GitHub Student Verification
[.NET] All of a sudden no APM data being shown in the dashboard
[.NET] All of a sudden no APM data being shown in the dashboard
Blocked after new account setup nothing loads on New Relic,not even help screen
Subaccount users can't access issues
How to create alert notification whenever custom event was added
Unable to add JVM graph to dashboard
Line Chart Y-Axis Custom Max Not Working
I want my completed certificate of new relic
Minimum monthly charge PRO Plan
Unable to transfer admin & full platform permissions to another user
Can we integrate Azure DevOps with New Relic?
How to create alerts policy to trigger every minutes and send email
Golden Signals showed up with weird user
Aws marketplace NewRelic subscription cannot proceed from STEP2
Problems accessing data in my account
Remove original INGEST LICENSE API key
Issue with GitHub Student Verification
How did you automate & optimize the New Relic program?
Pixie: vizier-pem pod is always get CrashLoopBackOff state
[Node] Unable to filter by server in Node VMs view
[Node] I see two separate traces but no connection between micro services
#2