Happy Business Starts Here

Zuora Staff

See updates in Red [06/03/16]

 

What is this change?  

At Zuora, our customers trust is our #1 value, and we take the protection of our customers' data very seriously. To maintain the highest security standards and promote the protection of your data, we occasionally need to make security improvements and deprecate older encryption protocols. To maintain alignment with industry standard best practices and comply with PCI DSS requirements, Zuora will disable the use of TLS 1.0 for inbound connections to Zuora as well outbound callouts from Zuora.

 

What will this change affect? 

This change will affect all incoming web browser based traffic as well as API traffic to both API Sandbox and Production. 

 

When will this change take place? 

We will take a phased approached to disabling TLS 1.0 for both inbound and outbound API calls to allow customers ample time to test and ensure your preparation.

 

Phase 1 - APISandbox and Services Environment

On February 4th 2016 from 7 AM PST - 11 AM PST, we will enforce TLS 1.1 or higher protocols only and disable TLS 1.0 connections for API Sandbox. 

 

From March 17th-31st 2016 7AM PST - 11AM PST, we will enforce TLS 1.1 or higher protocols only and disable TLS 1.0 connections for Services. For the specific implementation date for your service tenant, please submit a ticket through our Support Center.

 

Services Deployment Schedule

3/17/2016 Services environments with suffix ranging from 101-266

3/24/2016 Services environments with suffix ranging from 276-385

3/31/2016 All other Services environments

 

Phase 2 - Production [UPDATED 06/03/16]

Zuora will disable TLS 1.0 for all inbound calls to production on October 13th, 2016. This change will impact all channels including SOAP APIs, REST APIs and browser based traffic (UI).
 

How do I prepare for this change?  

We have split up the preparation section to cover inbound calls to Zuora for browser based traffic as well as API based traffic. 

Testing should be done prior to Feb 4th 2016 when we make the change in API Sandbox. 

 

Inbound Preparation (API and Web Browsing) 

For Inbound API testing, using the following endpoints listed below based on your need to test SOAP or REST API’s.

TLS1 endpoints below have been decomissioned as of 2/4/16

See the table below for common libraries and their compatibility with TLS 1.1 or higher. If the library you use is not listed here, please reach out to your software vendor for more information regarding support for TLS 1.1 or higher. 

 

Library       

TLS 1.1/1.2 Compatibility Notes

Java 8 (1.8) and higher

Compatible by default

Java 7 (1.7)

See Java documentation to enable TLS 1.1 and TLS 1.2

Java 6 (1.6) and below

Not compatible with TLS 1.1 or higher encryption

.NET 4.5 and higher

Compatible by default

.NET 4.0

TLS 1.2 not enabled by default. To enable TLS 1.2, it is possible to set the SchUseStrongCrypto DWORD value in the following two registry keys to 1, creating them if they don't exist: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" and "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319".

.NET 3.5 and below

Not compatible with TLS 1.1 or higher encryption

Python 2.7.9 and higher

Compatible by default

Python 2.7.8 and below

Not compatible with TLS 1.1 or higher encryption

Ruby 2.0.0

TLS 1.2 is enabled by default when used with OpenSSL 1.0.1 or higher. Using the :TLSv1_2 (preferred) or :TLSv1_1 symbols with an SSLContext's ssl_version ensures TLS 1.0 or earlier is disabled

Ruby 1.9.3 and below

The :TLSv1_2 symbol does not exist in 1.9.3 and below. It can be patch to add that symbol and compile Ruby with OpenSSL 1.0.1 or higher

Windows Server 2008 R2 and higher

Compatible by default

Windows Server 2008 and below

Not compatible with TLS 1.1 or higher encryption

OpenSSL 1.0.1 and higher

Compatible by default

OpenSSL 1.0.0 and below

Not compatible with TLS 1.1 or higher encryption

Mozilla NSS 3.15.1 and higher

Compatible by default

Mozilla NSS 3.14 to 3.15

Compatible with TLS 1.1, but not with TLS 1.2

Mozilla NS 3.13.6 and below

Not compatible with TLS 1.1 or higher encryption

 

Inbound Browser Preparation


To test web browsing, first ensure your browser meets Zuora’s Browser Support Policy found here

Once you have confirmed you are using a supported browser and version, surf to  https://tls1.apisandbox.zuora.com/apps/newlogin.do and login to confirm you can access the environment. Below is table listing the version of supported browsers and their support for TLS 1.1 or higher.


Browser

Compatibility

Desktop and mobile IE version 11

Compatible by default

Desktop IE versions 9 and 10

Capable when run in Windows 7 or newer, but not by default

Microsoft Edge

Compatible by default

Firefox 27 and higher

Compatible by default

Google Chrome 38 and higher

Compatible by default

Mobile Safari versions 5 and higher

Compatible by default


Outbound Preparation (API) 

Integrations using Java will need to use Java 8 which supports TLS 1.1/1.2 by default. See here for more details.   

Integrations that run on Windows will need to run on Windows Server 2008 R2 or higher. This generally includes most .NET applications and Microsoft Internet Information Server (IIS). Earlier versions of Windows Server do not support TLS 1.1 or TLS 1.2. See here for details. 

Integrations which rely on OpenSSL should ensure they are using OpenSSL version 1.01 or newer. See here for changelogs.

 

What happens if I take no action? 

Customers are advised to immediately perform the necessary changes  to ensure support for protocol versions  TLS 1.1 or higher.. If you have made the necessary changes, no further action is required on your part.

 

Failure to make the necessary changes before October, 13th, 2016 to support TLS 1.1 or higher will result in a disruption of Zuora services for your integration.


Zuora Global Support is readily available to answer any additional questions you may have.   

Please contact us at +1-650-779-4993 or at support@zuora.com.  

 

 

52 Comments
Zuora Support Moderator

Frequently Asked Questions:

 

Q. Do we have a Test Endpoint like Salesforce has https://tls1test.salesforce.com to validate TSLv1.1 and above compatibility before even switching Sandboxes?

A. For Inbound API testing of TLS 1.1 or higher use the following endpoints listed below based on your need to test SOAP or REST API’s.

SOAP API Interface: https://tls1.apisandbox.zuora.com/apps/services/a/68.0
REST API Interface: https://tls1.apisandbox.zuora.com/rest/v1/

 

Q: How do I verify if my browser support TLS 1.1 and above

A: User could always verify SSL/TLS protocol versions you browser supports by accessing the site https://www.ssllabs.com/ssltest/viewMyClient.html using browser you intend to confirm. Look for “Your user agent has good protocol support” or specific version support under “Protocol Features” section.

 


Q: How does this affect Salesforce (or other integrations - Avalara, Netsuite, Payment gateways, etc) - do we need to contact anyone or take action elsewhere?

A: Tenants do not need to contact any third parties who are integrated with Zuora. We are in contact with all third parties to ensure coordination for this change to avoid any disruptions to service.


Q: Do we need to restart our application after this change?

 

A: The change itself on Zuora's end is an online, non-disruptive change. However some applications and SSL implementation are known to cache SSL attributes for longer duration. Thus in case any prior connection established using TLS 1.0 before this version is disabled, might require an application restart to initiate new connections on TLS 1.1 or above. Again, this is not typical or usual behaviour and depends upon SSL Client implementation.

Tutor
Salesforce has pushed out disabling TLS1.0, is Zuora still going to follow above published schedule?
Community Manager

 Hello Shalabh, 

 

We plan to continue disabling TLS 1.0 as per plan. Since Salesforce do support TLS 1.1 and higher for all callouts of Salesforce we should be OK with any such dependent integration. We will keep you posted in case any change in execution plan. 

 

Thank you

Bibek

Tutor

Hi Bibek, 

 

We are using Oracle SOA suite 11g for Zuora Integeration.  Currently oracle is facing major bug which is casuing hand shake failure for TLS1.1 and Above. They are looking into this with High priority but not any timeline has specified. I assume, this would affect most of your customer base as well. We would appreciate if zuora team decide to defer execution plan same like Salesforce. 

 

Thanks,

Support SME

Hello @sapatel

 

Thank you for bringing this to our attention. Our Security Team will definitely look into the details of this Oracle bug you've mentioned and will let you know their thoughts.

Community Manager

 

Hello @sapatel

 

Thank you for bringing this to our attention. It would be great if you could provide Oracle bug# for us to track and get more details. Also, does this bug currently impact your integration with Sandbox or Production or both ? Also, we reccomend checking with Oracle if there is a workaround to support TLS 1.1 and above while permanent bugfix is released.

 

Thanks

Bibek

Tutor

Hi Bibek, 

 

Here is Oracel Bug # 22606743. We have found that and raised to Oracle. Oracle has accepted that and their Development currently working on  it. 

This bug will impact both Sandbox & Production instance as Zuora move forward with disabling TLS1.0. 

 

No Workaround in place at the moment. 

 

Thanks,
Sagar.

Tutor

One more Sales Force related bug for your referece.. Oracle Bug # 22575721. 

 

Thanks

Sagar. 

Zuora Support Moderator

 Hi folks

 

Just a general reminder - The API Sandbox Test endpoint (tls1.apisandbox.zuora.com) will not be available after 2/4 change.  Thanks

Student

I am using the AQuA API to get data.  Are these endpoints affected by TLS 1.1?

 

POST https://www.zuora.com/apps/api/batch-query/

POST https://apisandbox.zuora.com/apps/api/batch-query/

Zuora Support Moderator

@kgarosshen

 

Thank you for bringing this up.  Yes, to conform the changes described above also apply to the AQuA API

Zuora Staff

additional information...

 

 

Due to security incompatibility on the side of the Apigee Dev Console tool when we disable TLS 1.0 for API Sandbox on February 4, 2016, please cease the use of the Apigee Developer Console tool. We are also working to update the Knowledge Center article to remove links to the tool. There are many alternatives that work well and do not have security issues. Two alternatives are the Chrome plugins linked below:

 

Zuora Support Moderator

All

 

The phase 1 deployment has begun

 

Phase 1 - APISandbox 

On February 4th 2016 from 7 AM PST - 11 AM PST, we will enforce TLS 1.1 or higher protocols only and disable TLS 1.0 connections for API Sandbox.

 

 

As outlined above, this deployment will take approximately 2 hours to propogate through the Akamai network

Student

Hi there! 

 

Can you please advise of the schedule for disabling TLS 1.0 in Services Sandboxes?  

 

Thanks!

 

Steph

 

Community Manager

All,

 

This change will also impact Performance Test environment (Endpoint: pt1.zuora.com). TLS 1.0 will not be supported in PT1 environment as of today once the change takes effect.

 

Please feel free to reach out to us in case you have any question.

 

Thanks
Bibek

Zuora Support Moderator

Hi folks

 

We can confirm the API Sandbox TLS 1.0 disablement has been completed.  

Student

The https://tls1.apisandbox.zuora.com/apps/api/batch-query/

is not found when trying to hit the url.  A server not found message appears.  Is the server available?

 

 

Newly Enrolled

nevermind - I see the URL has changed, and now doesn't resolve...

Zuora Support Moderator

@kgarosshen - tls1.apisandbox.zuora.com endpoint was removed as outlined above posts

 

 

Zuora Support Moderator

@kshenk

Not enough context to respond to this or tell what the issue is.  

What version of curl are you using as some earlier versions require an update to support TLS 1.1+

Newly Enrolled

@scottb

Thanks, we believe we've gotten to the bottom of this.

Zuora Support Moderator

Greetings

 

We've heard from a few customers implementing *.NET 4.5 code that noted they had to force *.Net to use TLS 1.2 which worked to resolve the issue.  Please refer to your *.NET documention for the changes necessary.   We would welcome any comments from other *.NET administrators on their experience with this change.

 

Best, 

 

Scott Blashek

Sr. Application Support Engineer

Zuora, Inc.

Honor Student

In .net client to enable TLS1.x programatically:

 

// Default Protocols are Ssl3 | Tls. This is changed to support Zuora's TLS 1.1 rollout
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12;

 

OR with a registry hack (source http://stackoverflow.com/questions/28286086/default-securityprotocol-in-net-4-5/28502562#28502562):

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
Tutor

I tried the programmatic solution posted by @zoltanmike in my code. It's working in my dev API, which I have pointing at the sandbox.

New Student

Hi , We are using AQuA API to connect to Zuora end points below.

 

https://www.zuora.com/apps/api/batch-query/

https://apisandbox.zuora.com/apps/api/batch-query/

 

We missed to test this change before it went live in the API Sandbox. 

 

Now, when we try to connect to https://apisandbox.zuora.com/apps/api/batch-query/ we are getting the following error.

 

"Error in zuora data extraction process : EOF occurred in violation of protocol (_ssl.c:581)"

 

We are not sure if this error is caused due to the change in TLS version and this is the first time we are trying to access API sandbox environment. 

 

Any help in resolving this error would be much appreciated. Thanks!

 

 

Community Manager

Hello @subashselvaraj

 

Looking at the error it looks like you are using Python library to connect Zuora. It is difficult to say, but looking at the error, it does look like error is caused due to protocol version support. Please note that you would need Python 2.7.9 in order to support TLS 1.1 & above. Please upgrade Python version and see if that helps.


Thanks

New Student

Thanks for the response PERMALINK.

 

We are indeed using python library to connect to Zuora. We are currently using python version 2.7.9 already. Do we need to upgrade to a higher version?

Are there any configuration changes required while connecting to https://apisandbox.zuora.com/apps/api/batch-query/ which is different from the connection to https://www.zuora.com/apps/api/batch-query/?

Community Manager

Hello @subashselvaraj

 

Python 2.7.9 should support TLS 1.1 & above. However you need to ensure OpenSSL library also has supported compatible version - 1.0.1 I belive. 

 

https://docs.python.org/2/library/ssl.html

 

Screen Shot 2016-03-07 at 8.58.18 PM.png

 

Thanks

Bibek

New Student

Hi,

 

In our environment we created below two registry entry's successfully and i can see them in registry. But it is still taking SSLv3/TLS 1.0.

Could you please help? Please find the environment details below.

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramewo​rk\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft​\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001

Environment details:

Windows Server 2008 R2 Standard,Service pack 1

64 bit

.Net framework 4.0

 

Thanks,

Mahesh

 

Zuora Support Moderator

@mpepalla

http://joymonscode.blogspot.com/2015/08/how-to-make-net-40-45-use-tls-12.html

 

According to this article, NET 4.0 may also requires a change to ServicePointManager.SecurityProtocol in addition to the registry change

ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072;//SecurityProtocolType.Tls1.2;

 

New Student

Thanks Scottb!

 

I have gone through that blog .. Since it requires system.dll replace and code change we decided to upgrade our .net framework to 4.5 .

 

Thanks,

Mahesh

Support SME

If you're using the SoapUI client, here's how you can enable TLS1.1 (or 1.2 for that matter):

 

- navigate to your SOAP install directory, and open the bin directory

- locate your soapui.bat file (or soapui.sh, depending on your platform)

- locate JAVA_OPTS

- add the following line: 

    set JAVA_OPTS=%JAVA_OPTS% -Dsoapui.https.protocols="TLSv1.1,TLSv1.2"

- Example, my bat file looks like this:

soapui.JPG

Community Manager

All,

 

SSLv3 was just an example for syntax. Please do NOT add SSLv3. This is a legacy, unsecure protocol and Zuora does not support any version of SSL protocol any longer. You can add TLS 1.1 if you prefer to keep both though. 

 

To add both TLS 1.1 and TLS 1.2 support you could use below Java prams. 

 

-Dsoapui.https.protocols="TLSv1.1,TLSv1.2"

Scholar

Hello,

 

Phase 2 - Production

We are re-scheduling deprecation of TLS 1.0 for production environments, the new date will be updated here shortly.

 

I assume you don't have a new date but i just want to confirm that it will not be on April 7th that was planned.  

 

Thanks

Chris

Community Manager

@cmcbrayer Yes, that's correct that we don't have a new date.  We will announce the new date as soon as it's available.  

 

Thanks for your patience!

 

Lana

Community Manager

Zuora, Inc.

Zuora Support Moderator

Hi folks

 

Just expanding on the Python requirements somewhat based on some additional feedback internally, here's what we understand to this point.

 

Python 2.7.8 and before is not compatable with TLS 1.1+
Python 2.7.9 is compatable (but requires patching and dependancy on OpenSSL version supporting appropriate TLS version)
Python 3.2.4 is compatable by default

 

I would encourage other Python users to share their experience with the recent TLS changes and what they had to do in support of TLS 1.1+

Tutor

Excuse me , I have a question, please give me some advice. Thank you!

I used soap UI to test soap API login() method , but it was failed.

I got some error like this,

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

  • Mon Apr 11 10:34:26 GMT+09:00 2016:ERROR:javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
  • javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
  • at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
  • at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
  • ......
  • Caused by: java.io.EOFException: SSL peer shut down incorrectly
  • at sun.security.ssl.InputRecord.read(Unknown Source)

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

URL :https://apisandbox.zuora.com/apps/services/a/76.0

I filled  <api:username> and <apiSmiley Tongueassword> tags with my username and password,

then launched.

I tried some methods, but it not worked at all.

please give me some advice .Thank you very much!

Support SME

Hi @ryurin , the handshake error is the result of the wrong protocol being used.

 

Please see my previous comment on how to configure SoapUI for TLS1.1+ and how to start it using the new configuration - this is the very method I am using since we have deprecated the old TLS protocol on Sandbox:

 

http://community.zuora.com/t5/Zuora-Announcements/Action-Required-Zuora-is-Disabling-TLS-1-0/bc-p/81...

Tutor

Hi, @Viktor

Thank you for your reply.

I made the following changes。

【SoapUI-5.2.1.vmoptions】

add this line

-Dsoapui.https.protocols=TLSv1.2

then it works very well, this problem has solved!

Thank you very much!

Senior Tutor

I just wanted to share that I tried pything 2.7.10 as well as 2.7.11 and neither uses TLS 1.1 by default. I build 2.7.11 with OpenSSL 1.0.1 and that allowed me to connect but this won't work for me in my produciton environment.

Zuora Staff

I've updated the post with new information, please check the original post above.

Scholar

Phase 2 - Production [UPDATED 4/27/16]

We expect to have an update to the timeline for deprecation in the next few weeks. We will provide at least 90 days notice prior to ending support for TLS 1.0 in production to ensure customers have sufficient time to update mission critical applications.

 

Has a new date been decided? @monique

Zuora Staff

Hello Nikki,

 

We will have a new date next week. Once we have the new date, we will post this on the community. Thank you for your patience.

Zuora Staff

I've updated the post with new information, please check the original post above.

Senior Tutor

I am using .NET 4.0 client to connect to zuora soap client. First of all, TLS 1.2 does not work automatically from .NET 4.5. My local project started working when I upgraded to .NET 4.6. However, the behavior was really erratic.

Our dev servers with .NET 4.0 required the SchUseStrongCrypto registry key for it to work. Same thing failed on Test servers though Smiley Happy Finally had to install .Net 4.6 on all servers to get them to work. They still fail without the SchUseStrongCrypto registry key.

 

We had another Web application running on IIS 7.5 and using .NET 4.6. This app failed even with the SchUseStrongCrypto registry key enabled. After lot of googling, came across the following solution:

 

            if (System.Net.ServicePointManager.SecurityProtocol == (SecurityProtocolType.Ssl3 | SecurityProtocolType.Tls))
                System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

 

This is similar to Scottb's response to @mpepalla

ServicePointManager.SecurityProtocol = (SecurityProtocolType)3072; 

 

Zuora Support Moderator

Adding additional information for Python, thanks to Nathan for providing it.

 

Python 2.7.9 and higher

Compatible by default when used with OpenSSL 1.0.1 or higher

Python 2.7.8 and below

Not compatible with TLS 1.1 or higher encryption, using OpenSSL 1.0.1 or higher has been reported to make it work on some OS

Scholar

Hello

 

I don't see what time you plan to cut the TLS 1.0 October 13
Is it possible to indicate this info in your communications ?

 

Eric

Zuora Support Moderator

 Hi @LE04935_TCSConfirming the 10/13/2016 timing of the TLS 1.0 deprecation:

7AM PST - 11AM PST

Support SME

For PHP, we recommend OpenSSL 1.0.1 or higher.

Honor Student

A NOTE TO PYTHON DEVELOPERS

 

All of the Zuora Python libraries I've seen, that use the SOAP API, are based on a single module: 'suds'. This module has been dead for almost 7 years and it relies on urllib2 but the suds developers never thought to build in a way for you to specify what SSL version you want to use.

 

 

For example, in Python 2.7.9+, you can do something like:

 

import sslimport urllib2

context = ssl.SSLContext(ssl.ssl.PROTOCOL_SSLv23)
urllib2.urlopen('https://example.com', context=context).close()

 

Doing something like the above would require modification of the suds module which looks like is my only option until the REST API becomes useful.

 

Python 2.7.8 and earlier is more complicated as you would have to ssl.wrap_socket() but I won't go into details there as you probably should have upgraded by now anyway.

 

For more information on the SSL implimentation of Python, please visit https://docs.python.org/2/library/ssl.html#security-considerations