TLS 1.0 Disablement across Salesforce
What is TLS?
TLS or Transport Layer Security is an internet protocol that ensures privacy between communicating applications and their users on the internet.
TLS ensures the transfer from information across the internet is secure ensuring no third party may eavesdrop or tamper with any message, for example when data is transferred between Salesforce and an external party, including a web browser
Why is TSL1.0 being Disabled?
TLS1.0 is an older protocol that has received a number of attacks against it over the years which has highlighted security vulnerabilities. Therefore it is no longer considered strong encryption.
There are newer protocols (TLS1.1 or 1.2) that provide better safety and security
Note: This change is not specific to Salesforce, rather it is an industry-wide change to align with security best practices.
Can I check if we will be impacted?
Yes! Your Salesforce System Administrator can run a simple report to identify any browsers or other connections that are using TLS1.0 and need to be updated before March 2017.
- Click Setup
- In the left-hand Setup menu, navigate to the Administer section
- Expand the section Manager Users
- Click Login History
- Under Download Options | File Contents, select TLS1.0 Logins Only
- Click the Download Now button to export a CSV file
- Open the exported file and review the Application column which lists all connections using the TLS1.0 protocol. These applications/connections will need to be updated prior to March 2017.
Apps/Connections that will be Impacted
Customers and /or end-users accessing any of the following:
- Salesforce
- Salesforce1 mobile
- Salesforce Communities
- Salesforce Customer & Partner Portals
- Force.com Sites
- Site.com
- Salesforce Data Loader
- Salesforce for Outlook (*see Appendix 2 below)
- Salesforce File Sync
- SalesforceIQ
- Desktop CTI and Open CTI
- Marketing Cloud
- Pardot B2B Marketing Automation
- Single Sign-On
- Chatter Desktop
- Microsoft Integration Products
- Identity Connect
- Custom HTTPS domains
- Java tools like e.g. Skyvva, Informatica etc that are not on current version (8) of Java are likely to fail
- Or using inbound (API) or outbound (call-out) integrations that do not accept TLS1.1 or 1.2
How do we prepare?
-
- Understand the change and the potential impact
- Identify browsers and/or connections that are using TLS1.0
- See “Can I check if we will be impacted”
- See Appendix 1 to check browser compatibility
- Identify outgoing (call-out) integrations that are relying on TLS1.0
- see Resources section below
- Contact your IT department to update any browsers using TLS1.0
- Contact your Salesforce Administrator to update any application/inbound or outbound connection using TLS1.0
- Test and transition
- We recommend using an existing sandbox or creating a new one to do your testing
- Check the Salesforce Knowledge Article regularly for update
When does the disablement begin?
Note: Like a light switch, the disablement will happen for all orgs at the same time. When Salesforce flips the switch, you will no longer be able to connect to Salesforce using TLS1.0
Tools and Resources
- Salesforce Knowledge Article 000221207
- TLS1.0 Disablement Readiness Checklist
- Browser compatibility test site
- Browser compatibility guidelines
- How to test for API (inbound) integration compatibility
- How to test for call-out (outbound) integration compatibility
Appendix 1 – Check if a user’s browser is compatible
If browsers are not compatible with TLS 1.1 or higher after this change, your users will NOT be able to access Salesforce.
Browser Compatibility Test Site: https://tls1test.salesforce.com/s/
If you are able to view our test site without errors (which has TLS1.0 disabled) access to Salesforce via your browser should not be impacted by this change, and no action is required.
An example of an error message from Internet Explorer that doesn’t allow a TLS1.0 connection when a user logs into Salesforce
Appendix 2 – Upgrade Salesforce for Outlook by March 2017
Users must be upgraded to Salesforce for Outlook (SFO) version 3.0.0 or later before Salesforce disables TLS 1.0 on March 4, 2017. Users that are not using SFO v3.0.0 or later will be unable to connect to Salesforce through SFO.
How can I tell which versions of Salesforce for Outlook my users are on?
The Salesforce Login History report shows you the SFO version your users are working from, as well as the TLS version being used for those logins. Work directly with users working from older versions of SFO to upgrade them to v3.0.0 or later. If your SFO deployment is centrally managed using the MSI installer, you may need to work with your internal IT department to upgrade your users to SFO v3.0.0 or later. For detailed instructions on using the Login History report, read the Monitor Login History help topic.
Are there alternatives to Salesforce for Outlook?
If the computing system that your company already has in place prevents your users from upgrading to the latest version of SFO, we encourage you to review the system requirements for Lightning for Outlook and its companion sync component,Lightning Sync. These features support the latest Microsoft applications and offer many of the same features as SFO.
