Articles in this section

February 2016 - Critical update: Salesforce Upgrade to TLS 1.1

Avatar
Terry Humphris
Updated
Follow

Salesforce is disabling support for TLS 1.0 in the near future.

This may have a critical impact on the usability of S4S and require existing customers to take action before June 2016 in Sandboxes and early 2017 in production orgs.

TLS 1.1 will be supported by Salesforce but earlier versions of Sitecore and S4S were built on .NET Frameworks that do not support TLS 1.1 and therefore may not connect with Salesforce once TLS 1.0 has been disabled. A typical error message will be the following:

Exception: FuseIT.Sitecore.SalesforceConnector.SalesforceException

Message: UNSUPPORTED_CLIENT: TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https.

Source: FuseIT.Sitecore.SalesforceConnector

For S4S users, please look at the following table and match the .NET Framework to your Sitecore version. If your version uses .NET Framework 4.5 or earlier then the Salesforce TLS changes may break the S4S connection to the Salesforce Partner API.

Source - Sitecore knowledge base - Sitecore Compatibility Table

Short Term Solution 

Do not accept the Salesforce Critical Upgrade.

Login to your Salesforce instance and navigate to the Setup menu (under your username). In the search text box search for "Critical Updates". Ensure the "Require TLS 1.1 or higher for HTTPS connections" update is not activated and note the number of days remaining before auto-activation will occur.

Permanent Solution

FuseIT have tested a number of solutions that resolve the problem. Please test the solution that fits your scenario in a Sitecore developer or test environment before fixing Sitecore production. You should also test in a Salesforce Sandbox environment before testing it in your production org. See the TLS 1.0 Disablement Critical Update Console (CRUC) Setting article for more details.  

Framework   Solution for this Framework
.NET 3.5 Update the hosting environment to a .NET Framework version with the required TLS support then apply the changes below. For S4S the IIS Application Pool needs to run at least .NET 4.0.
.NET 4.0 Apply the registry entries as directed by Salesforce for TLS 1.2 support. Search for ".NET 4.0 does not enable TLS 1.2 by default" on the page. You may need to restart IIS after this modification.

.NET 4.5

 

 

 

 

 

 

 

 

 

Apply the registry entries as directed by Salesforce for TLS 1.2 support

or

Manually set the System.Net.ServicePointManager.SecurityProtocol in your .NET code before making callouts to Salesforce. One way to do this is in the Global.ascx.cs file by adding the line:

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;

(you will need to update this line of code when TLS 1.3 is released) 

or

Update to the latest version of S4S/G4S and configure the new securityProtocols setting in the .config file.
.NET 4.6 & higher

Compatible with TLS 1.1 or higher by default.

Note that a <securityProtocols> element was added to the web.config in S4S Release 16078 or later, so future versions of TLS can be handled.

If you encounter challenges or have questions, please contact us for help.

Comments

0 comments

Please sign in to leave a comment.

Related articles