Beta App Review – TLS 1.0/1.1 Rejection Despite Supporting Only TLS 1.2+ | Community
Skip to main content
T
Newcomer
tule3
Newcomer
October 13, 2025
Question

Beta App Review – TLS 1.0/1.1 Rejection Despite Supporting Only TLS 1.2+

  • October 13, 2025
  • 4 replies
  • 16 views

Hi Zoom Developer Community,

I’m currently in the process of submitting my app for Beta Testing on the Zoom Marketplace.
After completing all mandatory requirements and switching the environment to Production, my app failed the Security and Privacy Compliance Review with the following message:

“We noticed your app supports TLS 1.0 & TLS 1.1, which are considered insecure. Please consider ceasing/upgrading these versions.”

However, I’ve verified multiple times that:

  • TLS 1.0 and 1.1 are completely disabled on our servers.

  • Only TLS 1.2 and 1.3 are enabled for all inbound and outbound HTTPS traffic.

  • The backend (Node.js / NestJS) runs behind a reverse proxy with strict SSL configuration.

We’ve attached full configuration and connection test screenshots in our reply to the Marketplace team as proof, but the review still failed.

I’d really appreciate if anyone from the Zoom team or community could help clarify:

  1. How does Zoom test or verify TLS protocol versions during app security review?

  2. Could there be any specific endpoint or redirect Zoom checks that might cause this false flag?

  3. Has anyone else encountered this issue during Beta or Production app review, and how did you resolve it?

We’ve been waiting quite a while for this process, so any insight or escalation would mean a lot.
Thanks in advance for your support and time!

Best,

4 replies

M
Newcomer
mencia25
Newcomer
October 15, 2025

It seems Zoom's Security scan may still be detecting legacy TLS endpoints, possibly from redirects, old sub-domains, or third-party dependencies. Even if your main server enforces only TLS 1.2 and TLS 1.3, ensure that all linked URLs, webhooks, and OAuth redirect URLs also disable TLS 1.0 and 1.1. You can verify this using tools like SSL Labs or the map script ssl-enum-ciphers. Double-check that your reverse proxy and load balancer configurations forward TLS correctly. Once all endpoints strictly support TLS 1.2 or higher, share the updated scan report and configuration details with the Zoom Marketplace team to clear the compliance review. I hope it may help!

T
Newcomer
tule3Author
Newcomer
October 24, 2025

If that Zoom should report what endpoint use 1.1 and 1.2, but there is no information at all

M
New Member
me_hardy
New Member
February 11, 2026

This is a common false-positive scenario during security compliance scans. Zoom's automated review likely checks all associated endpoints - including OAuth redirect URIs, webhook URLs, and any third-party services your app references. Even if your primary server enforces TLS 1.2+, a single misconfigured subdomain, CDN, or load balancer in the chain can trigger the rejection. I'd recommend running a full scan on every URL registered in your Zoom app using SSL Labs or testssl.sh to catch any weak links.

It's also worth noting that upgrading to TLS 1.3 where possible can help avoid these issues entirely, as it removes support for legacy cipher suites that scanners sometimes misinterpret. If you want to understand the difference between TLS 1.2 and TLS 1.3 and how the upgrade impacts security compliance, that guide breaks it down well. Once you have clean scan reports for all endpoints, resubmit them to the Zoom Marketplace team with the evidence - that should clear the review.

M
Newcomer
Mateusz Kielbasa
Newcomer
February 15, 2026

Were you able to sort this out and get approved?

Terms & ConditionsAccessibility statement
Copyright © Zoom Communications, Inc. All rights reserved.