Happy Business Starts Here

Re: [Informational] Maintenance to Disable TLS 1.0 for rest.zuora.com and rest.apisandbox.zuora.com

Zuora Staff

*Description (of the issue):*


In order to improve security for Zuora Sandbox and Production endpoints, rest.zuora.com and rest.apisandbox.zuora.com will have TLS 1.0 disabled. This aligns with out configuration for www.zuora.com and apisandbox.zuora.com.


*When will these changes take affect?*


Wednesday July 26, 2017  starting at 7am PT - The change will take approximately 4-5 hours to propagate through the Akamai network.


*Which Zuora URLs or environments does this affect?*


  • Rest.zuora.com
  • rest.apisandbox.zuora.com


*Do I need to take action?*


If you use rest.zuora.com or rest.apisandbox.zuora.com and use the TLS 1.0 protocol, you will need to take action and ensure your integration is capable of supporting TLS 1.1+ SSL connections.


Note: This does not affect legacy REST API endpoint of api.zuora.com or SOAP www.zuora.com


*How can I test?*


If you can make API calls to the endpoints below, then your HTTPS connections are negotiating using TLS 1.1 or higher and you will not have any problems with this change.

  • www.zuora.com
  • api.zuora.com
  • apisandbox.zuora.com
  • apisandbox-api.zuora.com
Zuora Staff

Hi folks


We've noted a few customers using RestSharp are likely going to have issues if they haven't overridden SSL defaults in ServicePointManager.  RestSharp code hasn't been updated in the past few years, and by default uses TLS 1.0 SSL protocol.  Developers/Users may need to address this prior to our disable date to ensure continuity of API service.


See the following stack overflow article for further details.



Zuora Staff



Confirming that our production deployment to disable TLS 1.0 has completed (https://rest.zuora.com/...)


Our API Sandbox endpoint deployment is still in progress (https://rest.apisandbox.zuora.com/...) - will post further updates once this process has finished.  


We were caught off guard by this change and is currently causing our production calls to fail. What channels should we be monitoring or where do we subscribe to be notified of these major changes? Also, why would production have TLSv1.0 disabled at the same time as sandbox? This gives your clients no opportunity to see a failure or fully validate against an environment that does not support 1.0.


Edit: Just confirmed my email and now I see I can subscribe. Is this the best or only way to see notifications?

Zuora Staff

Hi @cshin


Two very key areas will cover just about anything involving impact to Zuora environments.


1. Subscribe to our trust page (https://trust.zuora.com) where all incident updates and maintenance details will be published and alerting email sent to subscribers

2. Subscribe to Community "Release notifications" as you already confirmed above.


As to why we elected to push the update to both environments, we understand your concern.  We elected to push both due to security considerations and the fact that this could be tested with the steps provided.  Your point is duely noted and I will share with our maintenance team.

Zuora Staff

Confirming that our api sandbox deployment to disable TLS 1.0 has completed  (https://rest.apisandbox.zuora.com/...)


Hey Scott,


I'm curious to why the update was first done in production than in the sandbox?


If it was done in sandbox first, we would have caught this error before it affected our customers.





Zuora Staff

The maintenace was launched in parallel and just happened to complete in production first.  The fact that we did this on the same day was was an exception which I've already called out above.  Future maintenance will take a staggered approach deploying in Sandbox then Production under most circumstnaces.