In order to continue our commitment to security, and to respond to evolving technology and regulatory standards for Transport Layer Security (TLS), New Relic is updating its TLS requirements for all endpoints to a minimum version of TLS 1.2 or above effective February 1, 2023 at 16:00 UTC .
- Customers who are already using TLS 1.2 or later will not be impacted by this change.
We will be requiring TLS 1.2 or above for all inbound connections effective February 1, 2023 at 16:00 UTC. This means customers using TLS versions 1.0 and 1.1 must update to TLS 1.2 or later to be able to connect to New Relic. This change affects all regions.
If you are one of the customers still using TLS 1.0 or 1.1 you will no longer be able to send data to New Relic after the changes take effect. This will affect your ability to continue using New Relic to monitor your applications.
In order to maintain connectivity to New Relic you must upgrade to an operating system and/or TLS stack that supports TLS 1.2 or above.
Affected operating systems include, but are not limited to:
- Windows Server 2008 (support available via optional Windows Update package)
- Windows 7 (support available via optional Windows Update package)
- Windows Server 2003 and earlier
- Windows Vista and earlier
- OS X 10.8 “Mountain Lion” and earlier
- RHEL 6.4 and earlier
TLS stacks reliant on the following may also be affected:
Customers accessing http://api.newrelic.com with clients not configured to follow redirects may also be impacted by this change. You should ensure that your clients specify the https:// scheme (as opposed to http://), or that they are configured to follow redirects, such as by using the
-L flag when using cURL.
Additionally, customers who have deployed Browser agents prior to version 998 (released in 2016) on pages served over unencrypted HTTP may no longer have clients accessing these pages report data to New Relic.
Also important to note that any references to download.newrelic.com (aka yum.newrelic.com / apt.newrelic.com) sites should also be updated to use a HTTPS:// url. In an effort to help mediate this, a transition mechanism will be implemented to redirect to a secure version of the site from http:// to https://.
Transport Layer Security (TLS) is a protocol used to establish secure, encrypted connections. It is the successor to SSL (Secure Socket Layer), although the acronym ‘SSL’ retains some colloquial usage as a synonym for TLS.
TLS versions 1.2 and 1.3 are the current industry standards, and include protections that aren’t present in earlier versions of the protocol. TLS also has a history of downgrade attacks, where an attacker can force a client to use a less-secure protocol version if it is supported by the server.
Moving to TLS 1.2 or above isn’t simply the next step for Transport Layer Security; it’s an actual solution to serious security threats. By removing support for the less-secure versions of the protocol, we can help ensure that downgrade attacks aren’t possible, and that data sent over these connections cannot be intercepted or modified by an attacker.
Concerns with earlier versions of TLS are shared within the industry, with the Chrome, Edge , Firefox, Internet Explorer , and Safari browsers all requiring TLS 1.2 or greater beginning in early 2020. Furthermore, the PCI DSS and NIST frameworks no longer consider the use of TLS versions prior to 1.2 to be compliant.
New Relic users now have access to NrIntegrationError events, and internal queries for DeprecatedTlsDetection can be faceted by customer account and clusterAgentId.
The query for APM applications TLS versions that are part of the EOL. Run this in the parent account:
FROM NrIntegrationError SELECT count(*) WHERE category = 'Deprecated TLS Version' SINCE 3 days ago LIMIT MAX FACET appName, appId, tlsVersion
You can check out this quick tutorial video to learn how to view the TLS version used by the New Relic agent. https://youtu.be/SQijAjROeXg
The query for Event API ingest TLS versions that are part of the EOL. Run this in each account:
FROM NrIntegrationError SELECT * WHERE newRelicFeature = 'Event API' AND message LIKE 'Event sent via deprecated TLS%' LIMIT MAX
Note that this query can be modified to facet by unique API key prefixes - for example:
FROM NrIntegrationError SELECT count(*) WHERE newRelicFeature = 'Event API' AND message LIKE 'Event sent via deprecated TLS%' LIMIT MAX FACET apiKeyPrefix
There is no single button or process to ensure TLS 1.2 compatibility. Depending on the platform and software solutions currently in use, the process may be extremely simple or very complex. We advise you to work closely with your IT and security teams on creating a migration plan.