Expo’s Servers Will Require TLS 1.2/1.3

From 2020 onward, Expo’s servers will require the latest TLS protocols (TLS 1.2 and 1.3), and will drop support for TLS 1.0 and 1.1.

Published in

Exposition

2 min readNov 20, 2019

Like most websites today, Expo uses HTTPS to secure each connection to the Expo servers. Many different clients connect to Expo: apps that use Expo’s over-the-air updates, servers that send push notifications using Expo’s notification service, Expo CLI, and browsers that visit our website. All of them connect securely with HTTPS. Underneath HTTPS is a layer called Transport Layer Security (TLS), which has evolved over the years. Starting in 2020, Expo will drop support for insecure versions of TLS.

Dropping TLS 1.0 and 1.1

TLS 1.0 (released in 1999) and TLS 1.1 (2006) are slated to be deprecated, and the teams working on Chrome, Edge, Firefox, and Safari have announced they are dropping support for these older protocols next spring. Every major browser and OS released in the last five years has supported TLS 1.2 or newer, including all of the versions of Android (5.0+) and iOS (10+) that Expo supports. Following suit, Expo’s servers will require TLS 1.2 or 1.3 on January 13, 2020.

Part of Expo’s planned TLS configuration for 2020

Changes Required

Most Expo developers do not need to do anything to prepare for this change. Over 99% of the requests to Expo’s servers already use TLS 1.2 or later.

Apps made with Expo will use TLS 1.2. iOS has supported it since iOS 5 (2011), and Expo enables TLS 1.2 on Android 4.4 (2013) and above. Also, all modern browsers have supported it for at least five years.
Most servers also support TLS 1.2: OpenSSL has supported it since OpenSSL 1.0.1 (2012). However, if you are connecting to Expo’s servers (e.g., to send push notifications) from an old server that doesn’t support TLS 1.2, you must upgrade your server’s TLS implementation (e.g., OpenSSL). You may find it helpful to test that your server can connect to sites like https://tls-v1-2.badssl.com:1012/ or https://twitch.tv that support only TLS 1.2 (e.g. try connecting to them with curlor wget).

Given how old TLS 1.2 is, we expect that almost all Expo developers will not be affected by dropping TLS 1.0 and 1.1. If you are affected, now is the time to upgrade your software!

Planned Schedule

On January 13, 2020, the Expo servers will drop support for TLS 1.0 and 1.1. We chose this date to be a couple weeks after the holiday season when most people are back at work. We’ll also mention this change in the release notes for the next Expo SDK (36), which we expect to release this year.

Questions?

Please let us know in the Expo forums, or leave a brief comment below.