Print this page

Why do I see the error: TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https

Knowledge Article Number 000232847
Description To help customers test and prepare for the TLS 1.0 deprecation , Salesforce has provided customers with the Critical Update feature Require TLS 1.1 or higher for HTTPS.


What does the update do?

This critical update, when activated, disables TLS 1.0 in the following communication channels with the org:

  • Web requests to Salesforce URLs that require authentication
  • Web requests to the login page of a My Domain
  • Web requests to Community or sites
  • Web requests to Customer and Partner portals
  • Web to lead, web to case, and web to custom object requests
  • API requests to Salesforce
  • Callouts using Apex to a remote endpoint
  • Workflow outbound messaging callouts to a remote endpoint
  • Callouts using Lightning Connect to a remote endpoint
  • AJAX proxy callouts to a remote endpoint
  • Delegated authentication callouts to a remote endpoint

This critical update setting presently does not affect the following communication channels. 

  • Email
  • Web or API requests to Live Agent
  • Web or API requests to Chatter Messenger
  • Web requests to published non-community sites
  • Salesforce Files Connect callouts to a remote SharePoint server
  • Exchange Sync callouts to a remote Microsoft Exchange server

This feature can be used by customers to disable TLS 1.0 ahead of Salesforce's schedule. Customers can use this for testing how absence of TLS 1.0 affects their connections or they can just use it to switch over to the more secure TLS 1.1 and TLS 1.2.


The following steps can be followed to disable this feature:
- Navigate to Setup
In the Quick Find bar, type in Critical Updates
- Select Critical Updates 
- Locate the Require TLS 1.1 or higher for HTTPS connections​ under the Update Name column
- Click on Deactivate.
User-added image

This feature comes deactivated by default. If customers find it activated already, it might have been done unintentionally by an administrator. The respective entry for that change can be found in the Setup Audit Trail

For more information, review the TLS 1.0 Disablement Critical Update Console (CRUC) Setting article.

promote demote