HttpService is dropping support for TLS 1.0 and 1.1

What’s changing?

On July 5, 2022, the Roblox Engine will no longer support making HTTPS requests to servers that do not support at least TLS version 1.2. Previously the minimum required TLS version was 1.0.

Why are TLS 1.0 and 1.1 being removed?

Removing support for these TLS versions from the Roblox Engine will improve security for all HTTPS requests made by any experience. TLS versions 1.0 and 1.1 have been deprecated by the Internet Engineering Task Force (IETF), and all major browsers have removed support for them as well.

How will this affect my experiences?

We currently do not expect this change to cause any impact for most experiences. TLS 1.2 is 14 years old and is supported by all major cloud providers, HTTP server implementations, and websites. Our internal telemetry also shows no instances of experiences making connections to servers using TLS 1.0 or 1.1 in the last two months.

On the chance that your experience makes use of an HTTP server that only supports TLS 1.0 or 1.1, be aware that HTTP requests made to that server will start raising an error after July 5.

How do I verify if my experience will be affected?

Starting today, a warning will be logged to the Studio Output window whenever a script makes an HTTPS request to a server using TLS 1.0 or 1.1. If you run your own HTTP server and are unsure what TLS version it supports, try making a request using HttpService in the command bar. Be sure to use “https://” in the URL.

  • If no warning is printed, your server will continue to be supported after July 5.
  • If a warning is printed, you will need to upgrade your server software to support TLS 1.2. Please consult your software’s documentation for help with this process.

Example

  1. Check that Studio prints a warning for a host with a known outdated TLS version. If it does not, you may need to close and re-open Studio to ensure it is up-to-date.
game:GetService("HttpService"):GetAsync("https://tls-v1-0.badssl.com:1010")
  1. Repeat with your own host for the url.
game:GetService("HttpService"):GetAsync("https://example.com")

70 Likes

This topic was automatically opened after 9 minutes.

Surprised how long it took considering TLS 1.0 is almost 23 years old

35 Likes

Surprised how long this update took to come out. Yet we are thankful for this update, thx guys.

4 Likes

Honestly glad this was released, it has been a long while since TLS 1.0 was released and when I tested the HTTPService API with a server running on TLS 1.1 a few months back I was surprised to see it actually went through.

8 Likes

Quick question, since we’re talking about such procotols, I’m not entirely sure how that works, but I was wondering if HttpService supports QUIC?

4 Likes

From my limited tests, HttpService can only do HTTP/1.1. I’m unable to get it to send a HTTP/2 or HTTP/3 request.

4 Likes

Finally, an OK Roblox change.

And don’t forget proxies make the world go around… That is if you’re living behind a firewall attempting to use 90’s technologies on a rapidly evolving technological platform.

P.S. Webhooks never bothered me anyway.

1 Like

It only supports HTTP GET and POST to my knowledge. Support for a way for a game to receive HTTP requests or a webhook would be a nice to have, but I’m sure there’s a lot of technical and security hard ships stopping that.

1 Like

Glad to see thoses gone. I can just say that this is maybe good. Its never ok to use a 90’s fire walls and ect. Like sure they may be cool to see but never it can help you from thoses virus’s and stuff and it may not even work. All I am saying is that removing things from era’s that are now can be by passed is good.

1 Like

Supports other methods, which you can specify when using HttpService:RequestAsync.

1 Like

If this happens to a game, how can the owner change this? Or will it be affected forever?

1 Like

Goodbye IE6 on ROBLOX!

Or is it?

I think IE6 used TLS 1.0 as the maximum,will this be affected?!

I’m surprised that they are dropping support for it. but TLS 1.2 and TLS 1.3 will maybe dropped support in the future like in a year or two.

Took long enough to make these changes… Finally!

Not too sure why you are surprised to see TLS 1.0 and 1.1 support being dropped? Both protocols are unsupported by all major browsers and their usage in the industry is little to none.

TLS 1.3 will not be dropped anytime in the near future as the protocol was only released in 2018 and is still the latest version of TLS. As for TLS 1.2, it will likely survive a few more years. All major browsers support it and a good handful of websites and services are still using the protocol.