Weak SSL Deprecation
Contents |
Support Ending for Weak Versions of SSL
As part of salesforce.com's on going effort to ensure the highest level of security at Salesforce.com, we are discontinuing support for the Secure Socket Layer (SSL) protocols noted below on March 31, 2007. SSL is the protocol used to secure data in transit to and from Salesforce.com.
- SSLv2 - > SSLv2 has known vulnerabilities which render it insecure for all purposes. It was superceded 10 years ago by SSLv3. Implementations of SSLv3 are widely and freely available for all common development platforms.
- SSLv3 and TLSv1 with key lengths less than 128 bits - For secure ciphers, the length of the key used by the cipher is proportional to the strength of the cipher. Due to advances in cryptography and computing power, key lengths lower than 128-bits are no longer considered sufficient for long term security.
This change may affect users accessing the system both via browsers and via an API client. We have analyzed our logs; we believe only a very small percentage of users will be affected. We have contacted all customers with integrations we believe may be impacted by this change.
If you have any questions or need assistance planning response to this change, please contact Salesforce.com Support.
Impact
When support for these versions of SSL is disabled on 3/31, browsers, API clients, and integrations that do not support one of the other, strong versions of SSL will be unable to connect to our service. Browsers will fail to load pages and will display an error message to the user. Behavior of API clients will vary, but the clients will be unable to establish a network connection to salesforce.com.
Browsers
All supported browsers include strong SSL support. Browsers with potential issues are those that shipped prior to 2002 or browsers running on older versions of the Windows operating system (e.g. versions older than Windows 2000 service pack 2).
To determine if a browser will be impacted by the change in SSL support, direct the browser to https://test.salesforce.com/. This server has been configured to only accept strong SSL connections. If you browser can display the login page, your browser has strong SSL support. Displaying the page is sufficient to demonstrate support; there is no need to login.
API Clients / Integration Tools
This section lists client applications and operating systems with known issues.
Tibco
Some TIBCO users who use TIBCO BusinessWorks to integrate with Salesforce.com may experience handshaking failures after Salesforce.com ended support for weak SSL on March 31, 2007. TIBCO recommends that those customers to download and upgrade their TIBCO Runtime Agent version to 5.5.2 where this particular issue has been taken care of.
Pervasive Data Junction, Data Integrator, and Business Integrator
Prior to 2006, Pervasive's Data Junction, Data Integrator, and Business Integrator products shipped with support for weak encryption only. If your organization is using one of these products, see the message below from the vendor about options for upgrading your product.
Linkpoint 360
Some versions of Linkpoint 360 support weak encryption only. If your organization is using Linkpoint360, see the message below about options for upgrading your product.
Morfik WebOS AppsBuilder
Morfik WebOS AppsBuilder, a specialized development tool for building web-based applications, supports both SSLv2 and SSLv3. All applications developed with Release 0.9.x (November 2006) onwards will have SSLv3 as the default setting. Unless explicitly changed applications developed with prior releases of the AppsBuilder will be using SSLv2. The process for changing from SSL2 to SSL3 is release dependant and Morfik should be contacted for guidance. Please contact support@morfik.com with SSLv2 to SSLv3 in the subject heading.
Microsoft Windows 2000
Many software applications running on Windows 2000 rely on its built-in SSL implementation. Microsoft Windows 2000 shipped with support for weak encryption only. Strong encryption shipped separately as the "High Encryption Pack" and, later, as part of Service Pack 2. Software Applications running on an unpatched installation of Windows 2000 and relying on it’s SSL support will be not have ciphers strong ciphers available to them. If you are receiving this mail as the result of using any of the Salesforce.com clients (i.e., Outlook Edition, Office Edition, Office Toolkit), this is one probable cause. The remedy in this case is to apply the service packs provided by provided by Microsoft. Information about Window 2000 Service packs can be found here:
http://www.microsoft.com/windows2000/downloads/servicepacks/default.mspx
Export Restricted Software
Prior to 2002, US law restricted export of strong cryptography, specifically cryptographic algorithms using key lengths greater than 56-bits. As a result, most vendors restricted the generally available versions of their software to weak encryption algorithms. If your software applications or the SSL libraries they rely on were shipped before 2002, it is likely this is the cause. Remedies in this case will vary from contacting the vendor for an upgrade to porting to a new platform which supports strong encryption.
Partner Notices
Message to Data Junction and Business Integrators customers from Pervasive
Due to advances in cryptography and computing power, key lengths lower than 128-bits are no longer considered sufficient for long-term security. In order to better protect your data, Salesforce.com will be changing its API to support only SSLv3 and TLSv1 with key lengths greater than or equal to 128-bits. As a result, some older versions of software that conformed with Salesforce.com’s earlier API versions will no longer inter-operate with Salesforce.com.
The following versions of Pervasive/Data Junction products, delivered before April 2005, will be impacted:
- Pervasive Data or Business Integrator v8.6.3 or earlier
- Data Junction v 7.5.5 or earlier
If you are currently using these products with Salesforce.com, you will need to upgrade your licenses before March 31, 2007 by taking the following steps.
- Contact your Pervasive account manager or call 1-888-296-5969, with your current products’ serial numbers:
If you have a current maintenance subscription with Pervasive, we can provide you with the latest version at No Charge. If you do not have a current maintenance subscription, you can receive a special upgrade discount of 65%, provided you order your upgrade before March 31, 2007.
- Rely on Pervasive’s professional services staff to ensure a fast and trouble-free migration to the latest version of our software - schedule your FREE Migration and Upgrade Assessment through your Pervasive representative.
Should your organization require additional resources in updating and optimizing your mission critical integrations with Salesforce.com, or if you are thinking about extending your integration project to get even more value from your Salesforce.com investment, Pervasive’s Professional Services staff are ready to assist.
Message to Linkpoint 360 Customers
The new version of LinkPoint360 software is nearly complete. We’ve been working hard to deliver you a simpler interface, more reliable synchronization, increased security and greater control at the enterprise level. All these new features are included in your subscription fee and will be available for free to registered users on January 29, 2007. As we approach that date, we’ll send you more information regarding the upgrade features and process.
Just In Time
In an effort to stay on top of industry best practices, salesforce.com will implement new security software on March 31, 2007 that will affect many 3rd party software vendors including LinkPoint360. On that date, the software they implement will be incompatible with older releases of LinkPoint360 software. All users of our software must upgrade to our new release before that date to avoid a service interruption.
Recap
To avoid a service interruption of LinkPoint360 software, all users must upgrade to our new version between January 29, 2007 and March 31, 2007. The upgrade is free to all registered users and as always, our help desk will assist in any way to make sure your upgrade is quick.