Salesforce Is Phasing Out TLS 1.0 Support

Salesforce will be phasing out support for Transport Layer Security (TLS) 1.0 in early 2016, potentially causing your users to no longer have access to Salesforce and the interfaces to and from your Salesforce environment to stop functioning. Sounds bad, right? It doesn’t have to be! This post will explain why and how this may impact you, and what you can do to make sure your environment and users are ready for this change.

What is TLS 1.0, and why do I care?

TLS 1.0 is a cryptographic protocol used to secure network communications. It is also over 15 years old and there are newer, more secure versions of the protocol. To keep up with security standards and keep your data protected, Salesforce is phasing out support of TLS 1.0, forcing the use of TLS 1.1 or above for all communications in and out of Salesforce.

When is this happening?

Salesforce is planning to phase out TLS 1.0 support as follows:

How does this impact users?

Once this change goes into effect for the environment, a user trying to log into the environment with an incompatible web browser will not be able to access Salesforce at all. The user will be able to access Salesforce if they switch to using a supported web browser.

Modern web browsers are not impacted - browsers such as Google Chrome, Mozilla Firefox, and the new Microsoft Edge are constantly kept updated to today’s standards and users using these browsers will see no impact. But if you have users using older versions of Internet Explorer and/or Safari, there is a very good chance your users will be impacted.

For example, Internet Explorer versions 8 and below do not (and cannot) support TLS 1.0 and will not be able to access Salesforce. Versions 9 and 10 can support this change if they run on Windows 7 or Windows 10, but specific action must be taken on the user’s machine first.

The full list of browser compatibility can be found here. Salesforce has also provided a test page that can be used to determine if the web browser you use to access the page currently supports the change. Note that mobile web browsers on Android and iOS devices are impacted as well. I highly recommend everyone read this list and match it up against the browsers that are deployed to your users so you can minimize (and hopefully eliminate!) the impact.

How does this impact my Salesforce environment?

This change potentially impacts any Salesforce organization that has outbound integrations (single sign-on, outbound messaging, Apex call-outs) or inbound integrations (third-party applications & API’s) -- essentially, any application not located in your Salesforce environment that communicates with your Salesforce environment. Common examples are integration middleware, single sign-on providers, and ERP systems. If these systems are not capable of communicating using TLS 1.1 or higher, they will completely stop working once this change is implemented.

Why take action now?

Upgrading applications and deploying web browsers to large groups of users can be lengthy, time-consuming, and require a significant coordination effort. To avoid any interruption of your operations, I recommend doing an audit of your Salesforce environment, identifying all of the third-party interfaces with Salesforce your company has, and reaching out to application owners and vendors ensuring that the version of the application you are currently using supports TLS 1.1 or higher. You may find that you are using an older version of an application that will be impacted by this change but an upgrade to the newest version will resolve the issue, or that the version you are using is not impacted. And we are here to help you - contact your Summa Client Partner to discuss this important change so that it can be turned into a non-event!