Question

Setting TLS Version

0

I'm getting the following error when I attempt to call a Salesforce service: com.mendix.modules.microflowengine.MicroflowException: javax.xml.ws.soap.SOAPFaultException: UNSUPPORTED_CLIENT: TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https. Is there a way I can force this to be TLS 1.1 or 1.2 from my cloud node?

asked 2016-06-21

Adam Fothergill

3 answers

Hans van Kranenburg · Answer 1 · 2016-07-05

Thanks for discovering and reporting this issue. Apparently, Java7 has the capability to speak TLS 1.1 and 1.2, but doesn't actually do it except when you poke it with a stick. Java 8 does it out of the box.

This leaves us with the following config:

Java7: TLSv1 (preferred) TLSv1.1 (not used) TLSv1.2 (not used)
Java8: TLSv1, TLSv1.1, TLSv1.2 (preferred)

SSLv3 is already disabled by default anyway, so that's good. Do not use Java6 for anything. If you're using a Mendix version that is only compatible with Java6 (which means earlier than 4.1.0), you should be focused on upgrading first.

The best option is to choose a Mendix version that you can run on Java 8 (yes, I know, heap graphs are still broken). This immediately fixes the TLS issues. The next best option is to use Java7 and have a little patience until:

For Java7, we will add the JVM option -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 by default, which fixes the TLS issues for any code path that uses the HttpsURLConnection class or use URL.openStream(). If you're using Java7 and have other use cases that still do not work, you might need to write horrible SocketFactory manipulating code yourself to get this working:

http://docs.oracle.com/javase/7/docs/api/javax/net/ssl/SSLSocket.html#setEnabledProtocols(java.lang.String[]) As seen at https://blogs.oracle.com/java-platform-group/entry/diagnosingtlssslandhttps

Jasper van der Hoek · Answer 2 · 2016-06-21

A quick google search indicates a configuration error on SalesForce. Mendix shouldn't explicitly choose between TLS1.0 or 1.1 We support both and if SalesForce doesn't want to offer it then it shouldn't be an option in the SSL settings.

So I'm assuming this is a configuration problem that you should probably start by resolve in SalesForce: http://salesforce.stackexchange.com/questions/111912/callouts-to-web-services-started-failing-with-calloutexception-server-chose-tls

Alternatively you should also check which Java version you are using. Java 7 and 8 both support TLS 1.1 and 1.2, however these versions are not enabled by default.
So if you are using Java7 you should enable TLS 1.1 or 1.2 or use Java8 which does have TLS enabled by default (see this stackoverflow page on enabling TLS).

Chris de Gelder · Answer 3 · 2016-06-21

Not sure but you can try to set the system property

System.setProperty(“https.protocols”, “TLSv1.1,TLSv1.2”);

or via jvm command line option

-Dhttps.protocols=TLSv1.1