Recently, Salesforce announced that it would be disabling SSL (Secure Socket Layer) 3.0 due to a security vulnerability published by Google’s researchers. This is likely not something that will affect your Salesforce instance significantly, but we wanted to keep everyone up to date on the changes. Before we go any further, here is the statement from Salesforce about why this disabling is occurring:
“At Salesforce, trust is our #1 value, and we take the protection of our customers’ data very seriously. On October 15, Google researchers published details on a security vulnerability (CVE-2014-3566) that affects the Secure Socket Layer (SSL) 3.0 encryption protocol, also known as “POODLE,” which may allow a man-in-the-middle attack to extract data from secure HTTP connections. Although the vulnerability is somewhat difficult to exploit, to further protect customers, we will be disabling SSL 3.0 to fully address this issue.”
Here’s what this change means: Once Salesforce disables SSL 3.0 encryption, all channels which connect to Salesforce will need to use TLS 1.0 Encryption (or higher). There are three channels that connect to Salesforce via encryption:
- Internet Browsers – All of Salesforce’s supported internet browsers have TLS 1.0 enabled. Unless you have disabled TLS 1.0 in your browser or are using an unsupported browser, TLS 1.0 will already be activated. You can test your browser by clicking here, which is a page that already has SSL 3.0 disabled. (If you can view this page, you should have no issues using Salesforce in your browser.)
- Internet Explorer 6 is not officially supported by Salesforce but can handle the TLS 1.0 encryption. Assistance with Internet Explorer/TLS 1.0 compatibility can be logged with Salesforce’s Help & Training Portal.
- API Integrations (Inbound Integrations): “API Integrations are interfaces or applications that are separate from Salesforce, but use Salesforce data. If you have any API Integrations, please ensure TLS 1.0 encryption or greater is enabled in the integration.”
- Call-Out Integrations (Outbound Integrations): These are integrations in which Salesforce needs to refer to an outside source to verify credentials or pull data. (Examples include Single Sign-On call-outs, Apex call-outs and outbound messaging.) If your organization uses these, you need to make sure that TLS 1.0 encryption or greater is enabled.
So, with all of that said, here’s what you need to do to prepare for the change: Ensure that your browsers and integrations have TLS 1.0 encryption or higher enabled. In addition, Salesforce recommends that your users have SSL 3.0 encryption disabled in their IT environments unless you use call-outs, in which case you’ll want to wait until after Salesforce disables SSL 3.0. The change started on November 7 and will continue expanding to all users by December 15.
A Note on Inbound & Outbound Integrations:
- If you use either integration type, you’ll need to contact the external web-service provider to find out if, on their end, the server uses SSL 3 encryption. If they are, they’ll need to disable it after Salesforce disables SSL 3.0. Further, they’ll need to confirm that, when interacting with Salesforce, they are using TLS 1.0 or higher.
- If you use API Integrations (via the AppExchange), you’ll need to contact those specific partners to ensure that TLS 1.0 is enabled.
- Partners who have confirmed TLS 1.0 is enabled: Cirrus Insight, FormAssembly, Click and Pledge.