Updates to TLS versions for KMS instances in US (Virginia) and US (Silicon Valley) regions

Updated at:
Copy as MD

Starting August 7, 2025 (UTC+8), Alibaba Cloud Key Management Service (KMS) will update the supported Transport Layer Security (TLS) versions for newly purchased KMS instances in the US (Virginia) and US (Silicon Valley) regions. Existing instances are not affected.

Am I affected?

This update applies only to newly purchased KMS instances created on or after August 7, 2025.

If you currently connect to KMS using TLS 1.2, no action is required.

If you connect using TLS 1.0 or TLS 1.1, check whether you plan to purchase new KMS instances in either region after August 7, 2025. If so, update your client to use TLS 1.2 before creating those instances.

What changes on August 7, 2025

Before the update, all KMS instances in US (Virginia) and US (Silicon Valley) support TLS 1.0, TLS 1.1, and TLS 1.2, regardless of gateway type.

After the update, newly purchased instances follow this policy:

User typeDedicated gatewayShared gateway
New usersTLS 1.2TLS 1.2
Existing usersTLS 1.2TLS 1.0, TLS 1.1, and TLS 1.2
Note

Existing instances (purchased before August 7, 2025) are not affected. They continue to support TLS 1.0, TLS 1.1, and TLS 1.2.

What you need to do

  1. Determine whether you plan to purchase new KMS instances in US (Virginia) or US (Silicon Valley) after August 7, 2025.

  2. If yes, check whether your client connects using TLS 1.0 or TLS 1.1.

  3. If your client uses TLS 1.0 or TLS 1.1, update the client configuration to use TLS 1.2 before creating the new instances.

To enable or disable TLS 1.0 or TLS 1.1 on your instances, contact us.