Upgrading to TLS 1.2. Still using TLS older than 1.2? We get it—updates take time. But now’s the time to upgrade for better security and compliance.

• TLS 1.1 is officially deprecated. Bird (formerly SparkPost) no longer supports connections using TLS 1.1 after September 2020. All systems must support TLS 1.2 or higher to maintain secure connectivity.

• Why the upgrade matters: TLS 1.2 has been the recommended protocol for over a decade. It offers stronger encryption, better performance, and compliance with modern security standards, while older versions are vulnerable to attacks.

• **How to check your system:**Linux: Use nmap --script ssl-enum-ciphers -p 443 api.sparkpost.com or openssl to verify protocol support.

• macOS: Run curl https://api.sparkpost.com/ --tlsv1.2 --verbose in Terminal.

• Windows: Go to Internet Options → Advanced and ensure "Use TLS 1.2" is checked.

• **How to enable TLS 1.2:**On Apache, update the SSL configuration: SSLProtocol -all +TLSv1.2

• On Nginx, modify ssl_protocols TLSv1.2; and restart your service.

• Why not TLS 1.3 (yet)? While TLS 1.3 is the next step forward, AWS Application Load Balancers (used by SparkPost/Bird) did not yet support it at the time. Still, upgrading OpenSSL to v1.1.1+ prepares you for an easy future transition.

• Security-conscious recognition. Bird encouraged early adopters to share their upgrade success and join their "wall of awesomeness" — celebrating proactive security compliance.

• Why is TLS 1.2 required?Because earlier versions (1.0 and 1.1) are insecure and deprecated by the IETF. TLS 1.2 offers stronger encryption and integrity protection for API and SMTP connections.
• Who does this affect?Any customer connecting to Bird (via REST API, SMTP, webhooks, or metrics endpoints) using an outdated TLS version.
• How can I test my connection?Run one of the verification commands for your OS (Linux, macOS, or Windows). If the output shows a successful TLSv1.2 handshake, your connection is compliant.
• What happens if I don’t upgrade?Your connections will fail once TLS 1.1 is disabled. You’ll lose the ability to send messages or access APIs until your system supports TLS 1.2.
• Can I enable TLS 1.3 now?You can, but it may not yet be supported by AWS ALBs. Updating OpenSSL to v1.1.1+ ensures compatibility when TLS 1.3 becomes available.
• Do I need to change anything if I’m using Bird through a library or SDK?Most modern SDKs already default to TLS 1.2. However, verify your environment’s SSL configuration or library version if it’s older than mid-2018.
• Is there a way to confirm success?Yes — after testing your connection, Bird invited users to email confirmation to their support team, verifying readiness before the cutoff date.

Similar to the Mac use case, the most common reason you may need to check for support in your Windows is that you use it for local development, so let’s assume that and check for your support.

Windows 7 and Windows 10 use basically the same process. If you are using something earlier, please upgrade as prior versions do not support TLS 1.2.

Start by clicking START in the bottom left corner (usually).

Type "Internet Options" and select the match from the resulting list.

Click on the Advanced tab and from there scroll down to the very bottom. If TLS 1.2 is checked you are already all set. If it is not, please check the box adjacent to Use TLS 1.2 and then Apply.

Back in 2018 we asked our customers to upgrade, and TLS 1.2 has been the recommendation for quite some time, so it is very likely that you are NOT affected. However, if you use any method to inject messages (SMTP or REST API) or collect data (metrics or webhooks, etc), then you really should check now to make sure your system can support TLS 1.2. Make sure you run the following tests on the servers that actually connect to SparkPost.

Why upgrading to TLS 1.2 matters

Details

TLS 1.1 support is ending

SparkPost will no longer accept TLS 1.1 connections after September 2020

Older versions are insecure

Legacy TLS protocols are vulnerable to modern attack methods

Industry-standard compliance

TLS 1.2 has been the recommended secure protocol for years

Better performance and reliability

Faster, more stable encrypted connections

Officially deprecated

IETF standards classify TLS 1.1 as outdated

Actually, the question should be "why are you still supporting it?" TLS 1.2 has been the recommended secure standard for more than a decade and we are down to the wire on anyone actually offering any support at all foranything less than TLS1.2. It is time for weak HTTPS support to die once and for all. If you are still using TLS 1.1 past March 2020 you are going to have a hard time connecting to most services. SparkPost has provided ample grace to get this updated and now we are sending out final notices to get this upgraded before September when we kill it off for good.

It is very possible that your IT SysAdmin or WebAdmin has done this already for you as part of their normal maintenance. If so you should buy them a beer and say thank you. If not you can follow some of the steps below to get it done in Linux, Windows, and Mac.

Note that throughout this document we will test with the US SparkPost end-point

If you normally use the European deployment, you should use the EU end-point instead.

First, let’s check to see if your friendly neighborhood SysAdmin already took care of this for you. This is actually part of the SSL configuration so it can be managed in your system config. Assuming you are using Linux, the most descriptive method is using nmap but you can also use openssl. You can use nmap with Linux, Windows and Mac, but we will explore other methods for Windows and Macs as well if you don’t want to install new software.

To do this with nmap, test the ciphers against a known HTTPS host. Since the point is to make sure we are connecting to SparkPost securely, let’s test against that endpoint. Make sure you run the following tests on the servers that actually connect to SparkPost.

nmap --script ssl-enum-ciphers -p 443 api.sparkpost.com

The most common reason you may need to check for support on your Mac is that you use it for local development, so let’s assume that and check for your support.

The least invasive method is using curl which should be built into every Mac. Launch the Terminal application and use the protocol flag to test specifically for TLS1.2.

curl https://api.sparkpost.com/ --tlsv1.2 --verbose

• Trying 54.213.185.174...
• TCP_NODELAY set
• Connected to api.sparkpost.com (54.213.185.174) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• Cipher selection: TLSv1.2

Why stop at TLS 1.2 when you know – you just know – that we are all going to have to upgrade to TLS 1.3 in the next year or so. Why not just upgrade to TLSv1.3 while we are at it?

Unfortunately, AWS ALBs do not support TLS1.3 yet, so if you do upgrade your configuration, your connection to SparkPost and any other AWS service that uses the ALB layer will still be limited to TLS1.2. Personally, I still think it is a good idea to get ahead of the curve and upgrade to 1.3 while you are making changes anyway.

If you want to add TLS 1.3 support you will probably have to update your OpenSSL library first to V1.1.1 or later and then add +TLSv1.3 to the protocol line mentioned above. Similar instructions can be found here for Nginx and Cloudflare as well.

Finally, It would be great if you could drop us a quick email to let us know you have verified you are TLS 1.2 capable. We really don’t want to cut anyone off and the drop-dead date is September 2020. If we know you are all in the safe zone, we’ll feel much better about turning off the old support.

Read more from this category

AI·Sep 17, 2024How Aegean Taxi is using AI to drive better customer support