Print this page

Salesforce disabled SSL 3.0 encryption

Knowledge Article Number 000206013
Description


In November and December 2014 Salesforce disabled SSL 3.0 encryption in stages to prevent it from being used to access the Salesforce platform. Learn the answers to common questions below.

Resolution
What is the change?

In November and December 2014 Salesforce disabled SSL 3.0 encryption to prevent it from being used to access the Salesforce platform. Any channels connecting to Salesforce will need to use TLS 1.0 encryption or higher—see below for supported encryption protocols. There are three different channels that require encryption to access Salesforce: internet browser, API (inbound) integrations, and call-out (outbound) integrations.
 
Why did this happen?

At Salesforce, trust is our #1 value, and we take the protection of our customers' data very seriously.
On October 15, Google researchers published details on a security vulnerability (CVE-2014-3566) that affects the Secure Socket Layer (SSL) 3.0 encryption protocol, also known as “POODLE,” which may allow a man-in-the-middle attack to extract data from secure HTTP connections. Although the vulnerability is somewhat difficult to exploit, to further protect customers, we will be disabling SSL 3.0 to fully address this issue.
 
Which non-SSL 3.0 encryption protocols does Salesforce support?

After the Summer'15 release, Apex callouts, workflow outbound messaging, delegated authentication, and other HTTPS callouts now support Transport Layer Security (TLS) version 1.2, TLS 1.1, and server name indication (SNI). HTTPS callouts continue to support TLS 1.0.
 
It is important to note that in the first quarter of 2016, Salesforce will be disabling the use of TLS 1.0 for inbound and outbound connections to Salesforce. After this, the minimum encryption standard required to connect to Salesforce services will be TLS 1.1.
 
What should I do if I am experiencing handshake errors? 

We recommend you test the call-out integration in a Sandbox. If you continue to receive handshake errors in the Sandbox, then log a case via the Help & Training portal. 




promote demote