Transport Layer Security (TLS) 1.0 and 1.1 are legacy cryptographic protocols that first appeared in 1999 and 2006, respectively. These protocols contain known security vulnerabilities, and more secure versions have superseded them, particularly TLS 1.2 (2008) and TLS 1.3 (2018).
Microsoft has progressively phased out support for TLS 1.0 and 1.1 across Windows Server operating systems:
- Windows Server 2019 and later: Disables TLS 1.0 and 1.1 by default
- Windows Server 2016: Allows you to disable TLS 1.0 and 1.1 via registry settings
- Windows Server 2012 R2: Requires updates to support TLS 1.2 as the default protocol
- Windows Server 2012: Requires specific updates to support TLS 1.2
We’re following Microsoft’s recommendation by deferring TLS version selection to the Operating System. This approach prevents systems that don’t enable legacy protocols by default from using them.
Impact on Octopus Cloud customers
We’re removing support for these legacy protocols on Octopus Cloud to enhance security. This change will affect Tentacles on older operating systems that don’t support TLS 1.2+.
Tentacles affected by this change include those running on:
- Windows Server 2012 and 2012 R2 (without TLS 1.2 patches)
These Tentacles will need TLS 1.2+ support to maintain secure connections and continue deployments.
This will also affect newer Operating Systems if you have explicitly disabled TLS 1.2 or 1.3. If affected, you’ll need to re-enable TLS 1.2 or 1.3.
Impact on self-hosted customers using Linux Docker
Our upgrade to Debian 12 in January 2026 will also affect customers using our official Linux Docker image. Like Octopus Cloud, your Tentacles will need TLS 1.2+ support to connect to your Octopus Server.
Impact on self-hosted customers using Windows
Self-hosted customers running Octopus Server on Windows won’t see direct changes to their server. However, your Operating System configuration determines your TLS version availability, so you may already use TLS 1.2+ only.
Most Windows Server 2016+ installations already use TLS 1.2+ by default, so you’re likely already prepared.
Customer support and monitoring
For Octopus Cloud customers: We’re monitoring Octopus Cloud for usages of TLS 1.0 and 1.1, and will reach out to affected customers.
For self-hosted customers: To ensure you’re prepared, please review your environment for TLS 1.0/1.1 dependencies before the January 2026 timeline. This step will help you identify and address any compatibility requirements early.
If you believe your organization may be affected, or if you have questions about TLS protocol support, please don’t hesitate to contact our support team for assistance.
What you can do
To keep your systems connected, you have several options:
Recommended approach for all customers:
- Upgrade your operating system to a supported version (Windows Server 2016 or later, recent Linux distributions)
- Update your Tentacle to the latest version, which includes enhanced TLS support
- Review external integrations to ensure they support TLS 1.2 or higher
Alternative options for specific systems:
- Windows Server 2012: Apply the Microsoft update to enable TLS 1.1 and TLS 1.2 as default protocols
- Windows Server 2012 R2: Install all Windows updates and enable TLS 1.2 in the registry
How to check your current setup:
- External service support: Most modern services already support TLS 1.2+, but you can test connections or contact service providers to confirm
- Operating System TLS: Windows Server 2016+ and modern Linux distributions enable TLS 1.2+ by default. Older operating systems, such as Windows Server 2012/2012 R2, may require security updates to enable TLS 1.2. Since Tentacle uses your OS’s TLS capabilities, ensuring your OS supports TLS 1.2+ is the key step for compatibility
Deprecation timeline
| Period | Octopus Cloud | Self-Hosted Docker |
|---|---|---|
| October - November 2025 | We’ll monitor for usages of TLS 1.0/1.1 | Customers should assess their environments |
| Mid-November 2025 | We’ll disable TLS 1.0/1.1 on Octopus Cloud (with accommodations for affected customers) | No immediate change |
| December 2025 | We’ll continue to track and help affected customers | Customers should continue preparation |
| January 2026 | Octopus Cloud will use TLS 1.2+ only | We’ll upgrade the official Docker image to Debian 12, supporting TLS 1.2+ only |
Note: We may adjust this timeline based on customer impact analysis and feedback. We’re committed to providing adequate notice and support throughout the transition process.
Summary
Removing support for these outdated protocols brings us in line with modern security standards. Most customers won’t be affected, but if you’re running older systems, now’s the time to plan your upgrade.
Key takeaways:
- Octopus Cloud customers will see us disable TLS 1.0/1.1 from mid-November 2025, with complete removal by January 2026
- Self-hosted Docker customers will experience changes when we upgrade the official image to Debian 12 in January 2026
- Self-hosted Windows customers will continue to work as before
The best fix is upgrading to modern operating systems with built-in TLS 1.2+ support. If you need more time, apply security patches and enable TLS 1.2 as a temporary measure.
Our support team is here to help throughout this transition. If you have concerns about your environment or need help with remediation, please reach out early so we can work together to ensure a smooth migration.
Happy deployments!
Tags:
