Security

Are you ready for Salesforce TLS 1.0 deactivation?

UPDATE — Salesforce has extended the TLS 1.0 deactivation date out until July 22, 2017.  This will give you a bit more time to make sure that your users and integrations are ready for this change.

March 4, 2017 is fast approaching and with it comes the disabling of the TLS 1.0 protocol in Salesforce production orgs. This change has been in the works for a while and shouldn’t come as a surprise to most admins.  Let’s look at the high-level milestones which have already passed:

  • Starting with the Summer ’16 release, Salesforce disabled the protocol in new production orgs.
  • Sandbox orgs had the protocol disabled in late June 2016.
  • Existing production orgs have the option to disable TLS 1.0 via a critical update.

This change in allowed security protocols will impact Salesforce customers in three major areas.

  1. Browser based connections to Salesforce.com systems
  2. Outbound integrations from a Salesforce org
  3. Inbound API integrations from external applications

The impact on end-users

Web browsers that do not support TLS 1.1 or higher will be unable to connect to Salesforce. Most modern browsers DO support the new security protocols and should have no issue with the switch.  Refer to the list below for details on supported versions.

  • Chrome – Chrome 38 and higher are compatible by default.
  • Internet Explorer – IE 11 is compatible by default.
  • Firefox – Firefox 27 and higher are compatible by default.
  • Safari –  Desktop Safari v7 and higher for OS X 10.9 are compatible.

Salesforce has provided a test site that will help you determine if a given browser supports TLS 1.1.  Open the browser on the system in question and visit https://tls1test.salesforce.com/.  The site will display a green background and a Test Passed message when viewed from a supported browser.

Viewing the page with an unsupported browser results in a ‘This page cannot be displayed’ message. These users will need to update their browser or install a browser that supports the new protocol.

Locating unsupported applications

It is important to note that users may be leveraging tools other than a browser to use Salesforce functionality.  The ‘Login History’ tool in Setup provides usage information which can be used to find incompatible applications.

In addition to retrieving the application list, you can download a CSV copy of all TLS 1.0 login events which occurred during the past six months. The data in this export will list those users and applications that, if not updated, will be negatively affected by the protocol change.

Inbound and Outbound Integrations

Integration tools and API connections that communicate with your Salesforce Org will need to support TLS 1.1 or higher.  The Knowledge Article listed below includes test plans for endpoints leveraging SOAP and REST interfaces.

Additional Resource 

Salesforce has provided several resources to help Admins transition to a post TLS 1.0 environment.  The very comprehensive Salesforce disabling TLS 1.0 Knowledge Article covers the entire spectrum of technical details associated with this change.

Additionally, the TLS 1.0 Disablement Readiness Checklist provides an action based approach that helps admins navigate the changes in their org.  The checklist provides a template for admins to follow when building their own migration plan.

Set aside some time over the next week or two and review the resources linked above. Then set out to spot-check your org by using the Login History export to get a list of users and integrations using the TLS 1.0 protocol.   With the remaining time, you should be able to coordinate efforts with users of incompatible apps and help them upgrade ahead of the cutoff date.

Advertisements