mulesoft · luanamulesoft · Apr 16, 2024 · Mar 13, 2025
@@ -1,13 +1,5 @@
 // TLS 1.0 Support
 //tag::tlsSupport[]
-Although TLS 1.0 is not recommended due to security vulnerabilities,
-you can enable support if required for communication with legacy clients.
 
-You can enable TLS 1.0 support only on the default SSL endpoint of the DLB. 
-Enabling TLS 1.0 support applies to the entire DLB, not a single SSL endpoint.
-
-[IMPORTANT]
-For security reasons, do not leave TLS 1.0 enabled.
-After you no longer need TLS 1.0, replace the default cipher suite, for example, with `NewDefault`.
 
 // end::tlsSupport[]
@@ -24,7 +24,7 @@ If an application exceeds the rate limit for a shared load balancer, the load ba
 
 To perform custom load balancer configuration or have higher rate limit thresholds, you must use a dedicated load balancer.
 
-The shared load balancer supports TLS versions 1.1 and TLS 1.2.
+The shared load balancer supports TLS 1.2.
 
 == Dedicated Load Balancers
 

@@ -183,9 +183,6 @@ Most cipher suites offer forward secrecy. RC4-SHA (supports Internet Explorer 8)
 For this reason, MuleSoft and Microsoft do not recommend using it.
 
 The CloudHub dedicated load balancer supports TLS 1.2.
-TLS 1.1 is disabled and is not supported by default.
-
-Although you can configure TLS 1.0, PCI compliance doesn't accept this protocol because of its significant vulnerabilities.
 
 === Display the Default Cipher Suite for a DLB
 
@@ -249,63 +246,6 @@ The output now includes `defaultCipherSuite`:
 "defaultCipherSuite": "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384"
 ----
 
-=== Change the Default Cipher Suite to Support TLS 1.0
-
-To support TLS 1.0, change the default cipher suite to `OldDefault`:
-
-. xref:lb-cert-validation.adoc#prepare-to-manage-certificate-cipher-suites[Prepare to manage certificate cipher suites].
-. xref:lb-cert-validation.adoc#display-the-default-cipher-suite-for-a-dlb[Display the current default cipher suite].
-. Change the default cipher suite:
-+
---
-
-[source,linenums]
-----
-curl -X PATCH https://anypoint.mulesoft.com/cloudhub/api/organizations/myOrgID/vpcs/myVpcID/loadbalancers/myDlbID  -H 'Authorization: Bearer myAccessToken' -H 'Content-Type: application/json' -d '[{"op":"replace", "path":"/defaultCipherSuiteName", "value":"OldDefault"}]' | jq
-----
-
-In the command:
-
-* `_myOrgID_` is the organization ID.
-* `_myVpcID_` is the ID for the VPC.
-* `_myDlbID_` is the ID for the DLB.
-* `_myAccessToken_` is the access token you generated.
-* `OldDefault` is the name of the cipher suite that supports TLS 1.0.
---
-. Check the default cipher suite and verify that the output includes the following line:
-+
-[source,linenums]
-----
-"defaultCipherSuite": "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
-----
-
-=== Verify the TLS 1.0 Connection
-
-After enabling TLS 1.0, test the connection:
-
-* `openssl`
-+
---
-Run this command against the DLB SSL endpoint:
-
-`openssl s_client -connect _DNS of the SSL endpoint_:443 -tls1`
-
-* If the output includes the certificate information and the message `Secure Renegotiation IS supported`, TLS 1.0 is supported.
-
-* If the command returns `write:errno=54`, TLS 1.0 is not supported.
---
-* `curl`
-+
---
-Run this command against the DLB SSL endpoint:
-
-`curl -vI --insecure --tlsv1.0 https://_DNS of the SSL endpoint_`
-
-* If you see the returned results from the backend server or the HTTP error code, TLS 1.0 is supported.
-
-* If the command returns `curl: (35) Server aborted the SSL handshake`, TLS 1.0 is not supported.
---
-
 == Limitation
 
 To use an ECDSA-based authentication cipher, generate the certificate and key pair using an ECDSA-based algorithm and apply the same algorithm to the SSL certificate and key configuration on the DLB.
@@ -334,6 +274,3 @@ Because current DLB configuration permits only one type of SSL certificate and k
 * xref:lb-allowlists.adoc[Allowlists]
 * xref:lb-mapping-rules.adoc[Mapping Rules]
 * xref:lb-create-arm.adoc[Create a Load Balancer with Runtime Manager]
-* xref:lb-create-arm.adoc#enable-tls-1-0-on-a-dlb-using-runtime-manager[Enable TLS 1.0 on a DLB Using Runtime Manager]
-* xref:lb-create-cli.adoc#enable-tls-1-0-on-a-dlb-using-the-cli[Enable TLS 1.0 on a DLB Using the CLI]
-* xref:lb-create-api.adoc#enable-tls-1-0-on-a-dlb-using-the-cloudhub-api[Enable TLS 1.0 on a DLB Using the CloudHub API]
@@ -27,46 +27,6 @@ include::partial$no-rename.adoc[tag=noRenameDLB]
 
 The CloudHub DLB name cannot start with `internal-`. Starting the DLB name with `internal-` results in error message: `LB name=internal-dlb-name cannot start with -internal`.
 
-== Enable TLS 1.0 on a DLB Using the CloudHub API
-
-// TLS 1.0 Support
-include::partial$tls-support.adoc[tag=tlsSupport]
-
-To enable TLS 1.0 support on a DLB using the CloudHub API:
-
-. Run the following command:
-+
---
-[source,linenums]
-----
-curl -X PATCH \
-  https://anypoint.mulesoft.com/cloudhub/api/organizations/myOrgID/vpcs/myVpcID/loadbalancers/myDlbID \
-  -H 'authorization: Bearer myAccessToken' \
-  -H 'content-type: application/json' \
-  -d '[
-  {
-    "op": "replace",
-    "path": "/sslEndpoints/0/tlsv1",
-    "value": "true"
-  }
-]'
-----
-In the command:
-
-* `_myOrgID_` is the organization ID.
-* `_myVpcID_` is the ID for the VPC.
-* `_myDlbID_` is the ID for the DLB.
-* `_myAccessToken_` is the access token you generated.
-
-The response includes the following:
-
-`"tlsv1": true,`
---
-. Change the default cipher suite to `OldDefault`.
-+
-See xref:lb-cert-validation.adoc#change-the-default-cipher-suite-to-support-tls-1-0[Change the Default Cipher Suite to Support TLS 1.0].
-
-
 == See Also
 
 * https://anypoint.mulesoft.com/exchange/portals/anypoint-platform/f1e97bc6-315a-4490-82a7-23abe036327a.anypoint-platform/cloudhub-api/1.0.13/console/method/%233964/[CloudHub API Create New Load Balancer]

@@ -64,10 +64,6 @@ For more information about static IP addresses, see xref:cloudhub-dedicated-load
 * *Keep URL encoding* specifies that the DLB passes only the `%20` and `%23` characters as is.
 +
 If you deselect this option, the DLB decodes the encoded part of the request URI before passing it to the CloudHub worker.
-+
-* *Support TLS 1.0* specifies to support TLS 1.0 between the client and the DLB.
-+
-To use TLS 1.0, see <<Enable TLS 1.0 on a DLB Using Runtime Manager>>.
 * *Upstream TLS 1.2* specifies to force TLS 1.2 between the DLB and the upstream CloudHub worker.
 * *Forward Client Certificate* specifies that the DLB forwards the client certificate to the CloudHub worker.
 . Add a certificate.
@@ -92,18 +88,6 @@ Click *Add New Rule*, and then specify the input path, target app, output path,
 .. Click *Save Certificate*.
 . Click *Create Load Balancer*.
 
-== Enable TLS 1.0 on a DLB Using Runtime Manager
-
-// TLS 1.0 Support
-include::partial$tls-support.adoc[tag=tlsSupport]
-
-To enable TLS support:
-
-. Select the *Support TLS 1.0* option.
-. Using the API, change the default cipher suite to `OldDefault`.
-+
-See xref:lb-cert-validation.adoc#change-the-default-cipher-suite-to-support-tls-1-0[Change the Default Cipher Suite to Support TLS 1.0].
-
 
 == See Also
 

@@ -33,29 +33,6 @@ include::partial$no-rename.adoc[tag=noRenameDLB]
 
 The CloudHub DLB name cannot start with `internal-`. 
 
-== Enable TLS 1.0 on a DLB Using the CLI
-
-// TLS 1.0 Support
-include::partial$tls-support.adoc[tag=tlsSupport]
-
-To enable TLS 1.0 support on a DLB using the CLI:
-
-. Run the following command to re-create the SSL endpoint for the _myLB_name_ load balancer and add TLS 1.0 support:
-+
-[source,linenums]
-----
-cloudhub load-balancer ssl-endpoint add --tlsv1 myLB_name certificateName privateKey
-----
-. Run the following command to set _certificateName_ as the default SSL endpoint for the _myLB_name_ load balancer:
-+
-[source,linenums]
-----
-cloudhub load-balancer ssl-endpoint set-default myLB_name certificateName
-----
-. Using the API, change the default cipher suite to `OldDefault`.
-+
-See xref:lb-cert-validation.adoc#change-the-default-cipher-suite-to-support-tls-1-0[Change the Default Cipher Suite to Support TLS 1.0].
-
 == See Also
 
 * xref:cloudhub-cli.adoc#cloudhub-load-balancer-create[cloudhub load-balancer create]