Your data. Anywhere you go.

New Relic for iOS or Android


Download on the App Store    Android App on Google play


New Relic Insights App for iOS


Download on the App Store


Learn more

Close icon

Upcoming Deprecation of TLS 1.0 endpoints

api
tls10

#1

As you may already be aware, the TLS 1.0 protocol is no longer considered secure by industry leaders. Out of concern for your data’s protection and to align with industry standards, beginning Sept 15th, 2017 New Relic will no longer support TLS 1.0 network connections to our UIs and APIs. Please note, this change will not affect the endpoints used by New Relic agents at this time. On that date, we will disable TLS 1.0 but will continue to provide support for TLS 1.2 protocols and ciphers. Your systems will need to connect using later TLS protocols by 11:59 PM UTC on September 15, 2017 to avoid any interruption in your data retrieval.

What do you need to do?

To ensure no interruption in service, you can visit our TLS Upgrade self-service page, which will inform you if there are any users or scripts using/accessing your account using the older TLS 1.0 protocol . A comprehensive list of browsers and agents that support TLS 1.2 is also available at Qualys SSL Labs.

To check your TLS connections, you can visit: https://tlscheck.newrelic.com. If you receive an error, you can view additional resources to resolve the connection below:

Android Support

If you are running Android OS Versions 4.x (later than 4.0), you will need to update the version of the New Relic for Android app to version 2.8.9, and New Relic for Insights app to version 3.0.6 in order to successfully login.

Browser Support

The following browsers DO NOT support TLS 1.2 and will need to be upgraded to continue to work.

  • Google Chrome 29
  • Firefox 26
  • Internet Explorer 10
  • Safari 8
  • iOS 4
  • Android 42

You can test your browser with SSL Labs Browser Capabilities or validate that it will work by visiting the New Relic TLS 1.2 Test page. If you see an empty browser page it means your browser does support TLS 1.2. If you see an error message like “cannot display the webpage” or “website is not available” that indicates that you need to upgrade your browser and/or operating system.

API Library Support

If you have code that connects with the New Relic API, you should ensure that it will continue to work with TLS 1.2. Each language and library is different, but here are some common choices that may be of concern. These languages will need to be upgraded or modified to work with TLS 1.2

  • Java 6u45 / 7u45
  • .NET before 4.5 (does not support TLS 1.2)
  • .NET 4.5 (must be have setting changed to explicitly enable TLS 1.2)
  • OpenSSL 0.9.8 (Used by Ruby, PHP, Python, Curl, Wget and more)

The examples below explicitly use TLS 1.2 for the connection to https://tlscheck.newrelic.com. Most clients should default to TLS 1.2.

Java

If you are using Java 1.8, TLS1.1 and TLS1.2 are enabled by default and the TLS negotiation should just work and there should be no action required. If you are using Java 1.7, TLS1.2 is disabled by default. You must explicitly enable them or specify the protocol when creating your SSLContext. The simplest and safest way to mitigate the issue is to make sure you are passing in the protocol version you want when creating your SSLContext:

String tlsVersion = "TLSv1.2";
String httpsURL = "https://tlscheck.newrelic.com";
URL myurl = new URL(httpsURL);

SSLContext context = SSLContext.getInstance(tlsVersion);
context.init(null, null, new java.security.SecureRandom());

try {
    HttpsURLConnection con = (HttpsURLConnection)myurl.openConnection();
    con.setSSLSocketFactory(context.getSocketFactory());
    System.out.println("Response Code: " + con.getResponseCode()); 
    System.out.println("Cipher Suite: " + con.getCipherSuite());
	System.out.println("TLS 1.2 OK");
} catch (Exception e) {
    System.out.println("TLS 1.2 Failed: " + e.toString());
    System.exit(1);
}

.NET

If you are using a later version of the .NET library and it is not working for you, the current workaround is to set the security protocol preferences yourself on initialization of your program. You can try to connect to our New Relic TLS Check.

For .NET 4.5 you can explicitly set the Security Protocol to TLS 1.2
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

For .NET 4.0 TLS 1.2 is not explicitly added. If you install .NET 4.5 (or later) you can set the Security Protocol to TLS 1.2 by using the explicit value 3072.
ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;

For applications that target .NET 3.5 they do not contain support for TLS 1.2. However, you can install a Microsoft Security Update on older servers to install TLS 1.2 and configure the registry to use the operating system defaults for SSL and TLS.

Another option for Windows Server 2008 R2 and greater may be to explicitly set TLS 1.2 as the operating system default protocol. Windows Server - TLS/SSL Settings

OpenSSL

openssl s_client -connect tlstest.newrelic.com:443

Ruby

require 'net/http'
require 'net/https'

uri = URI.parse(‘https://tlscheck.newrelic.com’)

Net::HTTP.version_1_2()
request = Net::HTTP.new(uri.host, uri.port)
request.use_ssl = true
request.verify_mode = OpenSSL::SSL::VERIFY_NONE
response = request.get("/")

# => #<Net::HTTPOK 200 OK readbody=true>
puts response.code

Curl

curl --tlsv1.2 https://tlscheck.newrelic.com > tlscheck.html

Wget

wget --secure-protocol=TLSv1_2 https://tlscheck.newrelic.com

When do you need to make a change?

We will be permanently disabling TLS 1.0 access to customer-facing New Relic endpoints on September 15, 2017 and will require TLS 1.2. Your systems will need to connect using TLS 1.2 by 11:59 PM UTC on September 15, 2017 to avoid any interruption in your data retrieval.

We understand that it will take time and effort to make this change, and we appreciate your help keeping your data secure. Please let us know if you have any questions by commenting on this topic.


TLS v1.2 support in New Relic Server Agent