在 Office 365 和 Office 365 GCC 中准备 TLS 1.2Preparing for TLS 1.2 in Office 365 and Office 365 GCC

摘要Summary

为了向我们的客户提供一流的加密,Microsoft 计划在 Office 365 和 Office 365 GCC 中弃用传输层安全 (TLS) 版本 1.0 和 1.1。To provide the best-in-class encryption to our customers, Microsoft plans to deprecate Transport Layer Security (TLS) versions 1.0 and 1.1 in Office 365 and Office 365 GCC. 我们知道您的数据的安全性非常重要,并且我们承诺对可能影响使用 TLS 服务的更改保持透明公开。We understand that the security of your data is important, and we're committed to transparency about changes that may affect your use of the TLS service.

Microsoft TLS 1.0 实现没有已知安全漏洞。The Microsoft TLS 1.0 implementation has no known security vulnerabilities. 但是,由于未来的潜在协议降级攻击和其他 TLS 漏洞,我们将停止在 Microsoft Office 365 和 Office 365 GCC 中提供 TLS 1.0 和 1.1 支持。But because of the potential for future protocol downgrade attacks and other TLS vulnerabilities, we are discontinuing support for TLS 1.0 and 1.1 in Microsoft Office 365 and Office 365 GCC.

有关如何删除 TLS 1.0 和 1.1 依赖项的信息,请参阅以下白皮书:解决 TLS 1.0 问题For information about how to remove TLS 1.0 and 1.1 dependencies, see the following white paper: Solving the TLS 1.0 problem.

更多信息More information

自 2020 年 1 月起,我们已经开始弃用 TLS 1.0 和 1.1。We have already begun deprecation of TLS 1.0 and 1.1 as of January 2020. 不支持通过 TLS 1.0 或 1.1 在我们的 DoD 或 GCC High 实例中连接到 Office 365 的任何客户端、设备或服务。Any clients, devices, or services that connect to Office 365 through TLS 1.0 or 1.1 in our DoD or GCC High instances are unsupported. 对于 Office 365 的商业客户,TLS 1.0 和 1.1 弃用将于 2020 年 10 月 15 日开始,并持续数周和数月推出。For our commercial customers of Office 365, deprecation of TLS 1.0 and 1.1 will begin October 15, 2020 and rollout will continue over the following weeks and months.

我们建议所有客户端-服务器和浏览器-服务器组合使用 TLS1.2(或更高版本)以保持与 Office 365 服务的连接。We recommend that all client-server and browser-server combinations use TLS 1.2 (or a later version) in order to maintain connection to Office 365 services. 你可能必须更新某些客户端-服务器和浏览器-服务器组合。You might have to update certain client-server and browser-server combinations.

你需要通过 TLS 1.0 或 TLS 1.1 更新调用 Microsoft 365 API 的应用程序以使用 TLS 1.2。You'll need to update applications that call Microsoft 365 APIs over TLS 1.0 or TLS 1.1 to use TLS 1.2. .NET 4.5 默认为 TLS 1.1。.NET 4.5 defaults to TLS 1.1. 若要更新 .NET 配置,请参阅如何在客户端上启用传输层安全性 (TLS) 1.2。To update your .NET configuration, see How to enable Transport Layer Security (TLS) 1.2 on clients.

以下是已知的无法使用 TLS 1.2 的客户端。The following clients are known to be unable to use TLS 1.2. 更新这些客户端以确保对服务的访问不会间断。Update these clients to ensure uninterrupted access to the service.

  • Android 4.3 和更低的版本Android 4.3 and earlier versions
  • Firefox 版本 5.0 及更低版本Firefox version 5.0 and earlier versions
  • Windows 7 上的 Internet Explorer 8-10 及更早版本Internet Explorer 8-10 on Windows 7 and earlier versions
  • Windows Phone 8 上的 Internet Explorer 10Internet Explorer 10 on Windows Phone 8
  • Safari 6.0.4/OS X10.8.4 及更早版本Safari 6.0.4/OS X10.8.4 and earlier versions

适用于 Microsoft Teams Rooms 和 Surface Hub 的 TLS 1.2TLS 1.2 for Microsoft Teams Rooms and Surface Hub

自 2018 年 12 月以来,Microsoft Teams Room(以前称为 Skype Room System V2 SRS V2)就一直支持 TLS 1.2。Microsoft Teams Rooms (previously known as Skype Room System V2 SRS V2) have supported TLS 1.2 since December 2018. 我们建议 Room 设备安装 Microsoft Teams Rooms 应用版本 4.0.64.0 或更高版本。We recommend that Rooms devices have Microsoft Teams Rooms app version 4.0.64.0 or later installed. 有关更多信息,请参阅发行说明For more information, see the Release notes. 更改是向后和向前兼容的。The changes are backward and forward compatible.

2019 年 5 月,Surface Hub 发布了 TLS 1.2 支持。Surface Hub released TLS 1.2 support in May 2019.

对 Microsoft Teams Rooms 和 Surface Hub 产品的 TLS 1.2 支持还要求更改以下服务器端代码:TLS 1.2 support for Microsoft Teams Rooms and Surface Hub products also requires the following server-side code changes:

  • Skype for Business Online 服务器更改已于 2019 年 4 月上线。Skype for Business Online server changes were made live in April 2019. 现在,Skype for Business Online 支持使用 TLS 1.2 连接 Microsoft Teams Room 和 Surface Hub 设备。Now, Skype for Business Online supports connecting Microsoft Teams Rooms and Surface Hub devices by using TLS 1.2.

  • Skype for Business Server 客户必须安装累积更新 (CU) 才能对 Teams Rooms Systems 和 Surface Hub 使用 TLS 1.2。Skype for Business Server customers must install a cumulative update (CU) to use TLS 1.2 for Teams Rooms Systems and Surface Hub.

    • 对于 Skype for Business Server 2015,CU9 已于 2019 年 5 月发布。For Skype for Business Server 2015, CU9 is already released in May 2019.
    • 对于 Skype for Business Server 2019,CU1 先前计划于 2019 年 4 月发布,但推迟到 2019 年 6 月。For Skype for Business Server 2019, CU1 was previously planned for April 2019 but is delayed to June 2019.

    备注

    在为 Skype for Business Server 安装特定的 CU 之前,Skype for Business 本地客户不应禁用 TLS 1.0 / 1.1。Skype for Business on-premises customers should not disable TLS 1.0/1.1 before installing specific CUs for Skype for Business Server.

如果您正在使用混合式场景的本地基础架构或 Active Directory 联合身份验证服务,确保该基础架构同时支持使用 TLS 1.2 的进站和出站连接。If you are using any on-premises infrastructure for hybrid scenarios or Active Directory Federation Services, make sure that the infrastructure can support both inbound and outbound connections that use TLS 1.2.

参考References

以下资源提供帮助确保客户端正在使用 TLS 1.2 或更高版本及禁用 TLS 1.0 和 1.1 的指导。The following resources provide guidance to help make sure that your clients are using TLS 1.2 or a later version and to disable TLS 1.0 and 1.1.