If you follow this blog, you're probably already aware that Salesforce is phasing out TLS 1.0 support. You also probably know that, in order to not lose access to Salesforce.com, there are some important steps you'll need to take...
Update: Salesforce TLS 1.0 Phaseout Timeline adjustments.
If you follow this blog, you're probably already aware that Salesforce is phasing out TLS 1.0 support. You also probably know that, to ensure you don't lose access to Salesforce.com, there are some important steps you'll need to take.
Recently, Salesforce has updated their timeline for disabling TLS 1.0 to and from Salesforce. While exact dates are not yet determined, Salesforce has provided an updated timeframe:
| Service | Previous Deadline |
New Deadline |
| Sandbox Instances | February 20 - March 12, 2016 |
Late June 2016 |
| Production Instances | April 2016 | Early 2017 |
| login.salesforce.com, other services |
April 2016 | Early 2017 |
What is TLS?
TLS, or Transport Layer Security, is a protocol designed to provide security over a computer network. TLS allows Web Browsers and Applications to communicate with a server while preventing eavesdropping. TLS 1.0 first appeared in 1999, making it over 15 years old. Since it's release, TLS 1.1 and TLS 1.2 have appeared, and TLS 1.3 is in a working draft state.
Why is Salesforce phasing out TLS 1.0?
As mentioned above, TLS 1.0 is now considered an older technology. The more recent iterations of TLS provide more protection and support more functionality. This helps to provide greater security to your organization and its data. Phasing out TLS 1.0 means requiring support for TLS 1.1 and higher. This improves security and keeps Salesforce in alignment with industry standards for encryption.
Learn more about evolving security standards.
How might this affect me or my users?
Users working on older browsers or older mobile device platforms may be affected by this change. Inbound and Outbound API Integrations may be affected if the service does not support TLS 1.1 or higher. Any application not located within Salesforce that communicates with Salesforce may be affected. This includes middleware, integrations with ERPs and other CRMs, SSO providers, data loading tools, and Salesforce for Outlook.
Your customers may also be affected. If you provide portal login access to your customers using Salesforce Communities, Customer or Partner Portal, Force.com Sites, or Site.com, your customers may not be able to access those sites if they are using older versions of web browsers.
How can I confirm that my organization is ready?
Salesforce has made many resources available that should help you confirm that your organization is ready for the phase out of TLS 1.0.
Read Salesforce’s guidance on preparing for the disabling of TLS 1.0
Is there any way to verify that my organization is ready for this change?
Yes! Salesforce has provided a setting, “Require TLS 1.1 or higher for HTTPS connections”, that can be turned on prior to the disablement data. This setting will impact the following features:
- Web requests to Salesforce URLs that require authentication
- Web requests to the login page of a My Domain
- Web requests to Community or Force.com sites
- Web requests to Customer and Partner portals
- Web to lead and web to case requests to a Salesforce instance or My Domain
- API requests to Salesforce
- Callouts using Apex to a remote endpoint
- Workflow outbound messaging callouts to a remote endpoint
- Callouts using Lightning Connect to a remote endpoint
- AJAX proxy callouts to a remote endpoint
- Delegated authentication callouts to a remote endpoint
Be mindful that right now, the setting does not impact these features:
- Web or API requests to Live Agent
- Web or API requests to Chatter Messenger
- Web to lead and web to case requests to www.salesforce.com
- Web requests to published non-community Site.com sites
- Salesforce Files Connect callouts to a remote SharePoint server
- Exchange Sync callouts to a remote Microsoft Exchange server
It is recommended that you do these tests first using a free developer org and then in a sandbox copy of your environment.
Read more about the TLS 1.0 Disablement Setting.
When should I begin to take action?
Ideally, sooner than later. Realistically, this will depend upon a variety of factors. Some to consider are the size of your organization, systems affected, and resources available. With the updated schedule from Salesforce, you will be able to access using TLS 1.0 until June 2016. Other applications your organization uses might also be changing. Those applications may have a more aggressive timeframe. If so, you will need to take that information into consideration.
Where can I find more help?
Salesforce has made documentation available which can help users manage this transition. As Salesforce prepares for this change, they are making additional information available. Be sure to search their knowledgebase for more information.
Read the latest (as of 3/7/2016) update on Salesforce Disabling TLS 1.0.
Summa can help. We've researched many applications - if the documentation from Salesforce proves insufficient, we may be able to provide solutions, suggest alternatives, and identify risks.
