Tuesday, 28 June 2016

TLS 1.0 has been disabled For Sandbox - Salesforce

Salesforce has finally disabled TLS 1.0 in sandboxes .This is in preparation for disablement later in 2017 for PRODUCTION instances .

Now this would have not impacted your integrations in PRODUCTION org but if your integration is broken in your sandbox ,this means you have only few months to sort this and fix before this affects your integration for PROD live users .

Before we deep drive on how to possibly fix this and work with your external systems to figure solution ,lets first understand what is TLS and why did SFDC moved to 1.x and had to disable TLS 1.0

TLS 1.0 Explained

TLS 1.1 Improvements 

  • Added protection against cipher-block chaining (CBC) attacks.
  • Support for IANA registration of parameters.

Clearly TLS 1.1 is more secure(Compared to 1.0) and protects salesforce resources against CBC attacks .

Identify if this change broke anything .The things that can be affected in your instances are as below
  1. Web requests to Salesforce URLs that require authentication
  2. Web requests to the login page of a My Domain
  3. Web requests to Community or Force.com sites
  4. Web requests to Customer and Partner portals
  5. Web to lead, web to case, and web to custom object requests
  6. API requests to Salesforce
  7. Callouts using Apex to a remote endpoint
  8. Workflow outbound messaging callouts to a remote endpoint
  9. Callouts using Lightning Connect to a remote endpoint
  10. AJAX proxy callouts to a remote endpoint
  11. Delegated authentication callouts to a remote endpoint
  12. Mobile apps developed with Salesforce Mobile SDK need to upgraded to SDK v4
That's a big list and if you are an enterprise org ,then I am sure you would have at least one of the above things in your org and you may find it to be broken .

The most common complains that I have received and encountered myself has been our IDE no more able to authenticate or our eclipse no more working ,or our migration tools are affected .

An example screenshot of error I got last night working with my ANT tool is as below

So below are some of the suggestions to fix this issue,

1. If you are using force.com migration tool and ANT process be on a latest ANT version -atleast 36.0
2.If you are using Java 7 ,upgrade to Java 8 since Java 8 by default uses 1.2 
3.If have an integration running on a webserver ,there will be setting to disable TLS 1.0 
4.You can disable TLS 1.0 in your browser 

5.Look for specific configuration if you want to explicitly force tools to use TLS 1.1 or TLS 1.2 .For example if you still want to use Java 7 and force your ANT tool to use TLS 1.1 ,you can add an environment variable like below for windows 

6.If you use Java 7, disable TLS 1.0. (TLS 1.0 is disabled by default in Java 8.) Update your eclipse.ini file to include this line:
Update your eclipse.ini file to include this line:
The location of the eclipse.ini file depends on your operating system. For more information, see [https://wiki.eclipse.org/Eclipse.ini].

Hopefully this sheds some light and those of you trying to fix this issue get enough out of it and fix your issues .

There is more info here below 


Feel free to ping me on twitter @msrivastav13 or reach by mail msrivastav13@gmail.com in case of concerns .

Introducing Lightning Base Components

Lightning Base Components are great addition to the platform and in fact revolutionary .One of the concerns around lightning component ...