On July 5, 2022, the Roblox Engine will no longer support making HTTPS requests to servers that do not support at least TLS version 1.2. Previously the minimum required TLS version was 1.0.
Why are TLS 1.0 and 1.1 being removed?
Removing support for these TLS versions from the Roblox Engine will improve security for all HTTPS requests made by any experience. TLS versions 1.0 and 1.1 have been deprecated by the Internet Engineering Task Force (IETF), and all major browsers have removed support for them as well.
How will this affect my experiences?
We currently do not expect this change to cause any impact for most experiences. TLS 1.2 is 14 years old and is supported by all major cloud providers, HTTP server implementations, and websites. Our internal telemetry also shows no instances of experiences making connections to servers using TLS 1.0 or 1.1 in the last two months.
On the chance that your experience makes use of an HTTP server that only supports TLS 1.0 or 1.1, be aware that HTTP requests made to that server will start raising an error after July 5.
How do I verify if my experience will be affected?
Starting today, a warning will be logged to the Studio Output window whenever a script makes an HTTPS request to a server using TLS 1.0 or 1.1. If you run your own HTTP server and are unsure what TLS version it supports, try making a request using HttpService in the command bar. Be sure to use “https://” in the URL.
If no warning is printed, your server will continue to be supported after July 5.
If a warning is printed, you will need to upgrade your server software to support TLS 1.2. Please consult your software’s documentation for help with this process.
Example
Check that Studio prints a warning for a host with a known outdated TLS version. If it does not, you may need to close and re-open Studio to ensure it is up-to-date.
Honestly glad this was released, it has been a long while since TLS 1.0 was released and when I tested the HTTPService API with a server running on TLS 1.1 a few months back I was surprised to see it actually went through.
And don’t forget proxies make the world go around… That is if you’re living behind a firewall attempting to use 90’s technologies on a rapidly evolving technological platform.
It only supports HTTP GET and POST to my knowledge. Support for a way for a game to receive HTTP requests or a webhook would be a nice to have, but I’m sure there’s a lot of technical and security hard ships stopping that.
Glad to see thoses gone. I can just say that this is maybe good. Its never ok to use a 90’s fire walls and ect. Like sure they may be cool to see but never it can help you from thoses virus’s and stuff and it may not even work. All I am saying is that removing things from era’s that are now can be by passed is good.
Not too sure why you are surprised to see TLS 1.0 and 1.1 support being dropped? Both protocols are unsupported by all major browsers and their usage in the industry is little to none.
TLS 1.3 will not be dropped anytime in the near future as the protocol was only released in 2018 and is still the latest version of TLS. As for TLS 1.2, it will likely survive a few more years. All major browsers support it and a good handful of websites and services are still using the protocol.
