TLS Protocol update for PEX services.

The upcoming change involves the end of support for TLS 1.0. What is TLS 1.0 you might ask? In short, it is a protocol used to negotiate your secure connection to a web site or API endpoint. The more modern protocols, TLS 1.1 and TLS 1.2, have been supported in web browsers, operating systems and code libraries for many years. (TLS 1.1 started in 2006 and TLS 1.2 in 2008)

Sandbox - Support for TLS 1.0 ends on January 31st 2018
Production - Support for TLS 1.0 ends on February 28th 2018

If you are using a very old web browser, operating system or library to connect to Pex, it is possible that your connection will fail.

It is for this reason that we urge you to check your code and custom applications to ensure that they are able to utilize TLS 1.1 or TLS 1.2. If you are not using the minimum supported versions of web browser or operating system, please consider upgrading to continue uninterrupted use of Pex services as well as many other sites on the Internet. Microsoft is releasing patches soon for Windows 2008r2 server and possibly Windows 7, but what impact that would have on custom code is unknown.

A very technical overview of SSL/TLS can be found here for the curious

While we can not help you in correcting your custom application, general information is provided here to get to some minimum supported levels of software.


If you don't have Python >= 2.7.9 and OpenSSL >= 1.0.1 you will need to upgrade your Python environment. The change to the ssl module was only back ported to 2.7.9. Even if Python and OpenSSL are up to date, you may be connecting with TLS 1.0 due to the way your code is written.


Ruby doesn’t have any pure-ruby SSL library and is using the C-Extension of ‘OpenSSL’ the Open-source SSL Linux-Unix library.
If you don't have OpenSSL >= 1.0.1 you will need to upgrade your environment.
If you have set this option, you will want to remove the ssl_version configuration so that your client can negotiate the best version with the server. If you find you must set this option to get it to work, you should use the constant for TLS version 1.2: TLSv1_2
Other settings might include: ssl_options and ssl_context.options.
You can check if your current ruby environment supports TLS 1.2. Execute the following command in your terminal:

ruby -ropenssl -e 'puts "TLS v1.2 support: #{OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1_2)}"' This will print a result saying if ruby supports TLS 1.2
TLS v1.2 support: true
If the result is false then you will need to update both Ruby and OpenSSL.


If you are using PHP, we suggest that you verify that PHP and libcurl versions are up to date and support TLS 1.1 or 1.2. Also, please ensure you have not configured your code to force TLS 1.0. The libcurl constant looks like this CURL_SSLVERSION_TLSv1. If this is set, you will want to remove it. Some older libcurl libraries support TLS1.1 and 1.2, but will negotiate down to 1.0 by default. If you have the older libraries and can not upgrade, at the minimum force a better version of TLS.


.NET 3.5 did not contain support for TLS 1.2 or 1.1. This may have larger implications on your application if you are using an older version of .NET. If you are finding that upgrading to the latest version of the .NET library is not working for you, there are some workarounds from Microsoft that might work for you.
Versions of .NET newer than 3.5 support TLS 1.2 or 1.1, your code may need to be updated.


If you are using Java 1.8, TLS1.1 and TLS1.2 are enabled by default and the TLS negotiation should just work and there should be no action required. It is possible in code to explicitly use lower TLS version 1.0.

If you are using Java 1.7, TLS1.1 and TLS1.2 are disabled by default. You must explicitly enable them or specify the protocol when creating your SSLContext. The simplest and safest way to mitigate the issue is to make sure you are passing in the protocol version you want when creating your SSLContext: SSLContext context = SSLContext.getInstance("TLSv1.2");

If you are using Java 1.6 or below you will need to upgrade unless you are using a specific version of the JVM that has backported support for TLS1.1 and TLS1.2.