Removal of support for TLS protocol versions 1.0 and 1.1 Follow

Comments

22 comments

  • Avatar
    Chandra

    Under "Am I affected" you only mention Chat for customers. Will customers still be able to access the site with an older browser as long as we are not using Chat?

  • Avatar
    Dan Craig

    Same question as Chandra. Expanding, can you confirm that no interactions through the Web Widget or Guide are affected by this change (assuming no use of Chat)?

  • Avatar
    NZ IT Flip IT (Edited )

    Could you also confirm if Single Sign-On (SSO) feature is going to be affected as well?

    I suspect it will be so, i.e. the website Zendesk is auth-ing against will have to support TLS1.2 both ways. Is this true?

     

  • Avatar
    Adi Glasman (Edited )

    Hello Chandra & Dan

    All Zendesk products will be impacted by this change (not just Chat).

    It will effect all older browsers/clients versions that do not support TLS versions 1.2, A new list of supported versions is available under the "What browsers can I use?" section 

    We are taking this step in order to assure you and your customers are working with the latest secured communication protocols.

    Please let me know if you have more questions

    Cheers

    Adi

  • Avatar
    Adi Glasman

    Hello Flip IT,

    Yes, SSO is also effected as the bi-directional authentication (incoming/outgoing) will have to be supporting only TLS 1.2 and higher.

    Cheers

    Adi

  • Avatar
    Virginia Goggins

    I'd like to get more clarification regarding SSO.  If a customer who is using TLS 1.1 connects to our portal, then the portal uses 1.2 SSO to connect to Zendesk, will that fail because the customer is only using 1.1?

  • Avatar
    Stephen Fusco

    Hi Virginia, 

    This is unlikely to work. TLS is browser specific - even if your customer connects to your portal, if that portal is using JWT to login to Zendesk the request would still come from the customer's browser. 

    I'm going to create a ticket for you though so I can collect a little more information about your specific set up just to be sure I fully understand the scenario you've described. 

  • Avatar
    Albert Chang

    Hi there, 

    Was this done yesterday? NMAP seems to think that TLSv1 and TLSv1.1 connections can still be made to zendesk.com. Was this the expected behavior?

  • Avatar
    GM

    Hi there, 

    I'm also experiencing the same issue as Albert. Are we able to explain why this is the case?

    Thanks

  • Avatar
    GM

    PORT STATE SERVICE
    443/tcp open https
    | ssl-enum-ciphers:
    | TLSv1.0:
    | ciphers:
    | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
    | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
    | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 4096) - A
    | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 4096) - A
    | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
    | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
    | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (dh 2048) - A
    | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (rsa 4096) - A
    | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (dh 2048) - A
    | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (rsa 4096) - A

  • Avatar
    GM

    Hi Albert, are you still seeing TLS 1.0 ? 

  • Avatar
    Albert Chang

    Hi Guy, yes TLS 1.0 and 1.1 connections are still being accepted by zendesk.com as of this morning. 

  • Avatar
    GM

    Hi Albert, have you received any updates on when this should be resolved. I've been told by Midnight tonight UK time, but i'm surprised that even Zendesk.com still supports TLS 1.0.thanks

  • Avatar
    GM

    TLS 1.0 is still enabled despite confirmation that it would now be disabled. 

  • Avatar
    Charles Wood

    We seem to have just lost TLS 1.0 and 1.1 today. They are probably rolling it out in phases rather than all at once.

  • Avatar
    GM

    thanks for the update. i'll check back later. 

  • Avatar
    GM

    Zendesk.com and our site now have TLS 1.0 and 1.1 disabled. 

  • Avatar
    Jessie - Community Manager

    Thanks for the update, GM! Let us know if you need anything else!

  • Avatar
    Christoffer J.S.

    It seems that this has broken Zendesk App Tools? If I run "zat package" or "zat update" I get:

    $ zat package

    info Checking for new version of zendesk_apps_tools

    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/ruby/2.0.0/net/http.rb:921:in `connect': SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: tlsv1 alert protocol version (OpenSSL::SSL::SSLError)

    It's the "tlsv1 alert protocol version" part that makes me suspect that this has something to do with TLS v1.0/1.1.

    This was working perfectly a week or so ago. I first saw the error yesterday (June 23) - haven't used zat for a few days before that. If I run "gem update zendesk_app_tools" there is no new version of zat available.

    Any ideas?

    Best regards, Christoffer

  • Avatar
    J.Michael Wagner

    Hey Christoffer,

    I am going to bring this into a ticket to discuss. Look out for an email from me!

     

  • Avatar
    Bo Wannerberg

    A tip for all that use the Zendesk API from within Powershell:

    https://www.codyhosterman.com/2016/06/force-the-invoke-restmethod-powershell-cmdlet-to-use-tls-1-2/

    BR // Bo

     

  • Avatar
    Graeme Carmichael

    This also caught me out when my API calls stopped working on 29 June.

    For Windows 7 SP1, I used the 'easy fix' download on this article from Microsoft, re-booted and now all is well.

     

Please sign in to leave a comment.

Powered by Zendesk