TLS 1.0 To TLS 1.1 for Salesforce Clients
TLS 1.1, 1.0 Salesforce
Since last six months, all of us working on the Salesforce platform have received multiple emails/notifications about the TLS 1.0 disablement. I wanted to try and understand why did salesforce want to do this?
On doing some investigation, I found out that there is a vulnerability regarding the initialization vector(IV). It is used to mask data prior to encryption.IVs were found to be susecptible to man in the middle attacks. This makes the encryption deterministic, which is something we never want. Because being deterministic makes encryption susceptible. This attack is known as BEAST attack. TLS 1.1 or 1.2 do not have the susceptible initialization vector weakness that is exploited by the BEAST attack.
Since this vulnerability has been out in the open since a long time now, in terms of cyber security, the step from salesforce should be welcomed by all of us. Sometimes we need security to be mandated by platforms to ensure that we are all secure.
For JAVA , add the parameter below to JAVA_OPTS, -Dhttps.protocols=TLSv1.2
For SOAPUI, add the parameter below to the SOAPUI startup script, -Dsoapui.https.protocols=SSLv3,TLSv1.2
Intrestingly, for a lot of other technologies, TLS1.1 or above might already be enabled. You might want to check the runtime of the your client library to ensure which TLS vesion is supported and enabled by default. More often then not, you will have to enable this, in the client runtime, rather than when explicitly making the connection.
References,
- https://crypto.stackexchange.com/questions/10493/why-is-tls-susceptible-to-protocol-downgrade-attacks
- https://help.salesforce.com/articleView?id=000221207&type=1