Deprecation of TLS 1.0 and 1.1 for MuleSoft Anypoint Platform - FAQ

This FAQ applies to TLS deprecation changes that went live on 31st January 2025.

There is an additional change going live on 17th October 2025. Refer to this KB article for the additional changes.

Q1: What is the actual change for Cloudhub 1.0?
Answer: No impact on existing TLS 1.1/1.0 connections. No impact on the ability to configure new TLS 1.1/1.0 connections. However, we strongly recommend upgrading to TLS v1.2 or later to maintain compliance with the Payment Card Industry Data Security Standard.

Q2: What is the actual change for Cloudhub 2.0?

Answer: Customers will no longer be able to configure TLS 1.1 ciphers via UI or API under CloudHub 2 Private Space TLS context (Runtime Manager -> Private Space -> Domains & TLS). Existing configurations and connections will not be impacted. 

Q3: Are we updating the customer's Cloudhub 2 Private Space TLS context and removing TLS 1.1 ciphers from existing TLS contexts that are in use?

Answer: No, the update does not remove existing TLS 1.1 ciphers from existing TLS contexts that are in use. However, customers using TLS 1.1 ciphers will no longer be able to view or edit their TLS 1.1 cipher configuration on UI or API. Any updates will need to be on TLS 1.2+ ciphers.

Q4: Will the current configuration using TLS 1.1 ciphers remain, and we are just removing the TLS 1.1 ciphers from all newly created TLS contexts?

Answer: The current configuration using TLS 1.1 ciphers will remain. The change involves removing TLS 1.1 ciphers from all newly created TLS contexts, meaning the customer's existing configuration using TLS 1.1 will remain, but they will lose the ability to configure new TLS contexts with TLS 1.1.

Q5: When is the change going into effect?

Answer: The change is going into effect on January 31st.

Q6: How is this change going into effect?

Answer: The change is a UI/API update where the new UI/API will not allow the configuration of deprecated ciphers in the TLS context. This is not bundled with a Private Space infrastructure upgrade but is a standalone UI/API change.

Q7: Is this change bundled with a Private Space infrastructure upgrade?

Answer: No, this change is not bundled with a Private Space infrastructure upgrade. It is a UI/API change that will be applied starting from January 31st onwards.

Q8: Is this just a UI change?

Answer: No, this is both a UI and API change where the new UI/API will not allow the configuration of deprecated ciphers in the TLS context.

Q9: What does the UI/API change entail?

Answer: The new UI/API will not allow the configuration of deprecated ciphers in the TLS context.

Q10: If I am using the TLS context with default ciphers. The default doesn't include any TLS 1.1 ciphers. Do I need to make any changes?

Answer: The default TLS context does not contain the ciphers that are being deprecated. The TLS 1.1 ciphers are only present if the customer created a TLS context and manually selected the TLS 1.1 ciphers Hence, there is no need to make any changes in the TLS context.

Q11: As an administrator on Anypoint, how do I find all the applications that use the deprecated TLS 1.0 and 1.1 ciphers?

Answer: 

• CloudHub 1.0: Customers can use this document to find the TLS protocols their applications are using. For the DLB, Customers can check the configurations in UI as well as in API to see if they are using TLS 1.0 and 1.1. For SLB, customers need to check if their clients are specifying any TLS protocols while calling to the cloudhub.io URLs. 

• CloudHub 2.0: Customers need to check if their clients are specifying any TLS 1.1 ciphers while connecting to CH2 applications.

Q12: As an app owner for a large number of apps, is there a way for me to update my settings across all my apps to use the newer/supported TLS 1.2 and 1.3 standards without having to go through each app's UI settings?

Answer:  

• CloudHub 1.0: For DLB, customers can go to either UI or API to modify the TLS configuration and update all of the apps to use newer TLS versions.

• CloudHub 2.0: Customers must remove all TLS1.1 ciphers from TLS Contexts. Applications behind those TLS Contexts will no longer support TLS1.1 ciphers.

Q13: I have many apps that are using TLS1.0 and TLS1.1 today. What actions should I take to update them to use support TLS versions?

Answer:

• For CloudHub 1.0: Customers can use this document to upgrade the TLS protocols for their applications.
• For CloudHub 2.0: Customers must remove all TLS1.1 ciphers from TLS Contexts. Applications behind those TLS Contexts will no longer support TLS1.1 ciphers.

Q14: Does this change impact application outbound connections to legacy endpoints which still use TLS1.0 or TLS1.1?

Answer:

There is no impact for outbound connections from within the mule apps