As an administrator of a Salesforce org that may have recently been accessed using SSL 3.0 encryption, we want to inform you of a change regarding supported encryption protocols. Over the next two months, Salesforce will be disabling SSL 3.0 encryption in a phased approach to prevent it from being used to access the Salesforce platform. |
Why is this happening?
At Salesforce, trust is our #1 value, and we take the protection of our customers' data very seriously. On October 15, Google researchers published details on a security vulnerability (CVE-2014-3566) that affects the Secure Socket Layer (SSL) 3.0 encryption protocol, also known as “POODLE,” which may allow a man-in-the-middle attack to extract data from secure HTTP connections. Although the vulnerability is somewhat difficult to exploit, to further protect customers, we will be disabling SSL 3.0 to fully address this issue.
How do I know if we are ready for this change?
After Salesforce disables SSL 3.0 encryption, any channels connecting to Salesforce will need to use TLS 1.0 encryption or higher. There are three different channels that require encryption to access Salesforce: internet browser, API (inbound) integrations and call-out (outbound) integrations. Here is an overview of each:
- Internet Browsers: By default, all browsers supported by Salesforce have TLS 1.0 enabled. You and your users should not experience an impact accessing Salesforce in your browser(s) unless you are either using a non-supported browser or you have disabled TLS 1.0 in the browser. To quickly test your browser compatibility, you can visit https://developer.salesforce.com, which has SSL 3.0 disabled. If you are able to view the site without errors, access to Salesforce via your browser should not be impacted by this change.
Internet Explorer (IE) 6, which is not officially supported by Salesforce, is capable of handling TLS 1.0 encryption, but it is not enabled by default. If you have users on IE 6 and would like assistance on how to enable TLS 1.0, please log a case via the Help & Training portal.
- API (inbound) Integrations: API Integrations are interfaces or applications that are separate from Salesforce, but use Salesforce data. If you have any API Integrations, please ensure TLS 1.0 encryption or greater is enabled in the integration.
What action do I need to take?
- Call-out (outbound) Integrations: Call-outs are integrations where Salesforce refers to an outside source to either verify login credentials or pull data. Examples of call-outs include: Delegated Authentication Single-Sign-On (SSO), Outbound Messaging and Apex call outs. If you use call-out integrations, please ensure TLS 1.0 encryption or greater is enabled in the integration.
In order for users to continue to have seamless access to your Salesforce orgs, you need to ensure their browsers and integrations have TLS 1.0 encryption or higher enabled. If your browser or integration does not have TLS 1.0 or higher enabled after we make this change, then your users will not be able to access Salesforce.
Additionally, we recommend you disable SSL 3.0 encryption in your own IT environment as soon as possible, unless you use call-out integrations. If you use call-out integrations, and you have not already disabled SSL 3.0, we recommend that you wait until after we have disabled SSL 3.0 for outbound requests in our environment.
When will Salesforce disable SSL 3.0 encryption?
Salesforce plans to disable SSL 3.0 encryption according to the following schedule:
For Inbound Encryption Requests (Internet Browsers and API Integrations)
|Instances ||SSL 3.0 Disable Schedule|
|All Sandbox Instances||Friday, November 7, 2014 |
|NA17, NA19, NA20||Friday, November 14, 2014 |
|NA2, NA4, NA13, NA15, NA16, EU0, EU2, EU3||Friday, November 21, 2014|
|NA7, NA8, NA9, NA10, NA11, NA12, NA14, EU1||Friday, November 29, 2014 |
|NA0, NA1, NA3, NA5, NA6||Friday, December 5, 2014|
|AP0, AP1||Monday, December 15, 2014|
For Outbound Encryption Requests (Call-out Integrations)
|Instances ||SSL 3.0 Disable Schedule|
|All Sandbox Instances||Wednesday, December 3, 2014|
|All Production Instances ||Wednesday, December 10, 2014 |
Where can I get more information?
You can review this Knowledge Article for more information. If you have any questions, please reach out to your Salesforce contact or log a case via the Help & Training portal.