Print this page

TLS 1.0 Disablement Critical Update Console (CRUC) Setting

Knowledge Article Number 000232871
Description

This article was last updated on June 27, 2016; all changes are highlighted in red. 

Table of Contents

Summary
Permissions Required
Recommendation
Configuration
Web Browser User Experience
API User Experience

 

Summary

To help you prepare for the Salesforce disabling TLS 1.0 beginning in June 2016, we are providing a new Critical Update Console (CRUC) setting, "Require TLS 1.1 or higher for HTTPS connections", for you to test the disablement of TLS 1.0 for your sandbox and production org prior to the Salesforce TLS 1.0 disablement schedule*:
 

Service

TLS 1.0 Disablement Auto-Activation Date

Sandbox Instances

June 25, 2016, at 9:30 AM PDT (16:30 UTC)

Production Instances

March 4, 2017, at 9:30 AM PST (17:30 UTC)

Login.salesforce.com, other services**Early 2017

NOTE: The auto-activation date is when Salesforce will automatically disable TLS 1.0 and these dates can be found in the Critical Updates description for the “Require TLS 1.1 or higher for HTTPS connections” setting from Setup. 

* Dates are subject to change
**   Other services includes the following: test.salesforce.com, www.salesforce.com, help.salesforce.com, success.salesforce.com, branded login (*.cloudforce.com), Live Agent, UMPS/Chatter Messenger and Email. 
 

Permissions Required

A user must have the following permissions:

  • View the CRUC setting: View Setup and Configuration
  • Activate or Deactivate the CRUC setting: Customize Application and Modify All Data

 

Recommendation

We recommend that you test this CRUC update in a sandbox environment to verify end-to-end compatibility before testing it in your production org.

Don’t have a sandbox org?

You can also test the CRUC update for TLS 1.0 disablement in a free Developer Edition org. Sign up here

If the CRUC setting is not activated before the Salesforce TLS disablement date, Salesforce will automatically disable TLS 1.0 for your org based on the schedule above.

Once activated, you can deactivate the "Require TLS 1.1 or higher for HTTPS connections" critical update setting to restore TLS 1.0 prior to the auto-activation dates outlined above.

 

Configuration

From Setup, enter Critical Updates in the Quick Find box, then select Critical Updates. This critical update setting is named "Require TLS 1.1 or higher for HTTPS connections".

When activated, TLS 1.0 is disabled in the following features:

  • Web requests to Salesforce URLs that require authentication
  • Web requests to the login page of a My Domain
  • Web requests to Community or Force.com sites
  • Web requests to Customer and Partner portals
  • Web to lead and web to case requests 
  • API requests to Salesforce
  • Lightning for Outlook (previously known as Salesforce App for Outlook) – NOTE: Since Lightning for Outlook uses Lightning Sync to connect with the Exchange server, users with browsers that are compatible with TLS 1.1 or higher will still be able to use Lightning for Outlook if the Exchange server has not been enabled with TLS 1.1 or higher. Until Lightning Sync is influenced by the this critical update, complete end-to-end testing with Lightning for Outlook is not possible.
  • Callouts using Apex to a remote endpoint
  • Workflow outbound messaging callouts to a remote endpoint
  • Callouts using Lightning Connect to a remote endpoint
  • AJAX proxy callouts to a remote endpoint
  • Delegated authentication callouts to a remote endpoint

At this time, this critical update setting does not affect the following features when activated. A future patch or major release may extend this setting to one or more of these features:

  • Email
  • Lightning Sync (previously known as Exchange Sync)
  • Web or API requests to Live Agent
  • Web or API requests to Chatter Messenger
  • Web requests to published non-community Site.com sites
 

Web Browser User Experience

Depending on the user access point, when a user tries to access the org with a web browser using TLS 1.0 after the org requires TLS 1.1 or higher for HTTPS connections, the user will see an error message with recommended next steps to resolve the incompatibility. 

Summary of the user message and language display experience is as follows:

Access PointUser Error MessageMessage Language

login.salesforce.com

Error message will display only after the user logs in from this page

Display in the user's Salesforce language

My Domain login page

Error message will display upon visiting this page

Display in the org’s default language

Site or Community 

Error message will display upon visiting this page

Display the site guest user’s Salesforce language

Web to lead or web to case, when sent to the org or My Domain over https (not to www.salesforce.com or webto.salesforce.com)

Error message will display upon submitting data from an external page to Salesforce. The submitted data, however, is archived and does not create a lead or case. Please file a case with Salesforce Support to have these archived submissions replayed.

Display in the Salesforce language of the default lead creator or the automated case user

Web to lead or web to case, when sent to www.salesforce.com or webto.salesforce.com over https

User sees no error and is redirected to the form's Return URL. The submitted data, however, is archived and does not create a lead or case. Please file a case with Salesforce Support to have these archived submissions replayed.

Not applicable, since no error message is displayed

Customer or Partner Portal login or forgot-password page (not via a site)

Error message will display upon visiting this page

Display in the portal's default language

More details on the user browser experience by browser and operating system used are outlined below. 
 

Internet Explorer in Windows 7 or Newer

Internet Explorer users in Windows 7 or newer will see the following message if TLS 1.0 is used in an org that requires TLS 1.1 or higher for HTTPS connections:

Internet Explorer in Windows 7 or Newer User Message

NOTE: TLS 1.0 is still recommended for compatibility with other non-Salesforce systems. 

 

Internet Explorer in Windows Vista, XP, or Earlier

Internet Explorer users in Windows Vista, XP, or earlier will see the following message if the org requires TLS 1.1 or higher for HTTPS connections:

Internet Explorer in Windows Vista, XP, or Earlier User Message
 

Google Chrome or Mozilla Firefox

Google Chrome or Mozilla Firefox users will see the following message if TLS 1.0 is used in an org requires TLS 1.1 or higher for HTTPS connections:

Google Chrome or Mozilla Firefox User Message

Mobile Browsers

iOS (e.g. Safari), Android, Windows Mobile, BlackBerry, and most other mobile browser users will see the following message if TLS 1.0 is used in an org requires TLS 1.1 or higher for HTTPS connections:

Mobile Browser User Message
 

Unknown Web Browser or Operating System

Users of unknown web browsers or operating systems will see the following message if TLS 1.0 is used in an org requires TLS 1.1 or higher for HTTPS connections:

Unknown Web Browser or Operating System User Message
 

API User Experience

If a user tries to access the org with an API client using TLS 1.0 after the org requires TLS 1.1 or higher for HTTPS connections, the user will see the following API error message. The error message uses the user's language.

TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https.

The user will generally need to update the API client or adjust its configuration to use TLS 1.1 or TLS 1.2.





promote demote