Salesforce is disabling support for TLS 1.0 in the near future.
- Knowledge Article 000232871 - TLS 1.0 Disablement Critical Update Console (CRUC) Setting
- Knowledge Article 000221207 - Salesforce disabling TLS 1.0
This may have a critical impact on the usability of S4S and require existing customers to take action before June 2016 in Sandboxes and early 2017 in production orgs.
TLS 1.1 will be supported by Salesforce but earlier versions of Sitecore and S4S were built on .NET Frameworks that do not support TLS 1.1 and therefore may not connect with Salesforce once TLS 1.0 has been disabled. A typical error message will be the following:
Message: UNSUPPORTED_CLIENT: TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https.
For S4S users, please look at the following table and match the .NET Framework to your Sitecore version. If your version uses .NET Framework 4.5 or earlier then the Salesforce TLS changes may break the S4S connection to the Salesforce Partner API.
Short Term Solution
Do not accept the Salesforce Critical Upgrade.
Login to your Salesforce instance and navigate to the Setup menu (under your username). In the search text box search for "Critical Updates". Ensure the "Require TLS 1.1 or higher for HTTPS connections" update is not activated and note the number of days remaining before auto-activation will occur.
FuseIT have tested a number of solutions that resolve the problem. Please test the solution that fits your scenario in a Sitecore developer or test environment before fixing Sitecore production. You should also test in a Salesforce Sandbox environment before testing it in your production org. See the TLS 1.0 Disablement Critical Update Console (CRUC) Setting article for more details.
|Framework||Solution for this Framework|
|.NET 3.5||Update the hosting environment to a .NET Framework version with the required TLS support then apply the changes below. For S4S the IIS Application Pool needs to run at least .NET 4.0.|
|.NET 4.0||Apply the registry entries as directed by Salesforce for TLS 1.2 support. Search for ".NET 4.0 does not enable TLS 1.2 by default" on the page. You may need to restart IIS after this modification.|
Apply the registry entries as directed by Salesforce for TLS 1.2 support
Manually set the
System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls;
(you will need to update this line of code when TLS 1.3 is released)
Update to the latest version of S4S/G4S and configure the new securityProtocols setting in the .config file.
|.NET 4.6 & higher||
Compatible with TLS 1.1 or higher by default.
Note that a <securityProtocols> element was added to the web.config in S4S Release 16078 or later, so future versions of TLS can be handled.
If you encounter challenges or have questions, please contact us for help.