Mandatory upgrade required to TLS1.2

At the end of March, we will disable TLS1.0/1.1 across all Bing Ads interfaces, and leave support for TLS1.2 only. This includes all the Bing Ads web sites and web services. These changes are necessary due to the potential for future protocol downgrade attacks and other TLS 1.0 vulnerabilities not specific to Microsoft’s implementation.

In planning for this migration to TLS 1.2+, developers and system administrators should be aware of the potential for protocol version hardcoding in applications developed by their employees and partners. Protocol version hardcoding was commonplace in the past for testing and supportability purposes as many different browsers and operating systems had varying levels of TLS support.

Whereas your development implementation and production environment may vary, here are some common client scenarios to ensure TLS1.2 support. Note that the Bing Ads SDKs do not enforce any specific SSL or TLS protocol by default.


.NET Clients

For clients using .NET 4.6 and higher TLS1.2 is enabled by default, but please confirm whether it was modified. The .NET 4.5 clients must either upgrade to .NET 4.6 or higher, or manually set the security protocol to TLS1.2 e.g.,

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12


Java Clients

You must use Java 1.7 or higher for TLS1.2 support. For more details see the Java Platform Group, Product Management Blog: Diagnosing TLS, SSL, and HTTPS.


PHP Clients

The underlying SSL version negotiates connections automatically, so you might not need to take any action unless you have hardcoded a specific protocol. For example, if you are using OpenSSL/1.0.2g TLS1.2 is already supported.


Python Clients

If you are using Python 2.7.9 or higher, TLS1.2 is enabled by default. Please note that support for Python 2 is scheduled to end by 2020, so please consider upgrading to Python 3.4 or higher. For more details, see Porting Python 2 Code to Python 3.


Whether you use the Bing Ads SDKs or maintain your own local proxies to Bing Ads APIs, you’ll need to ensure that your application uses TLS1.2. Also note this recently released TLS 1.0 whitepaper can help you to remove TLS 1.0 dependencies on Windows operating systems. Again, these are only example scenarios, as we know client implementations vary across operating systems and development environments.

We thank you for your patience and understanding in dealing with any compatibility issues that may arise due this change. We appreciate your speed and attention to this matter.