Ensure your apps are TLS 1.2 compliant by May 13th, 2019 - All TLS 1.0 traffic will be blocked

Follow

New post

jcleblanc

• August 24, 2018 16:26

Hi Box Developers,

 

As previously communicated, Box has ended support for TLS 1.0 as of June 25th, 2018. On May 13th, 2019, starting at 8:00am PDT, Box will start blocking all TLS 1.0 traffic coming from custom Box platform applications. 

 

To ensure the continued functionality of your applications, please test and upgrade (if needed) your application environments by following these directions in the docs. Over the last 6-12 months regular email communications have been sent to the developer, support, and admin contacts of any affected applications sending Box requests using TLS 1.0. If you have received these messages and haven't taken action, your application will be impacted by the shutoff on May 13th.

 

What is TLS and why is this upgrade necessary? 

TLS is the protocol used when you transfer information to and from Box APIs to keep that data secure. TLS 1.0 is no longer a secure standard for sending sensitive information, which is why we are undergoing the process of blocking all TLS 1.0 traffic. It is imperative that your systems be upgraded to use at least TLS 1.2. 

 

What will happen after May 13, 2019 if I don’t upgrade?

After May 13th Box will start to block all API requests made using TLS 1.0. All requests made to Box systems with your custom applications using TLS 1.0 will start to return errors rather than the expected API responses.

 

How do I upgrade my version of TLS?

• Admin / Support: Contact the developer of the application(s) listed above to begin the upgrade process or disable the application if they are unneeded. Admins may view / disable the applications through these steps.
• App Developer: Instructions on how to test and upgrade your systems is available in our developer documentation.

 

How do I get support for this upgrade if I have questions?

For any questions or for addition support, please file a support ticket.

 

 

Thanks all,

Jon

0

• 

  MrClarify

  • October 12, 2018 02:22

  Thank you Jon. I just updated for all my clients.

  0

  Comment actions Permalink
• 

  Mike123456

  • October 30, 2018 11:04

  Hi 

   

  I have been following the instructions as outlined, and have used the server https://api-test.box.com/2.0/ as directed.

  I also have a WebDAV client currently in use that I would like to test as well.  I realize WebDAV is being deprecated as well, but we will still need to use it after Nov 12th.

  Can you please provide the WebDAV URL to connect to the test server?

   

  Thanks

  Mike

  0

  Comment actions Permalink
• 

  jcleblanc

  • November 04, 2018 08:31

  Hi ,

   

  For WebDAV you'll have to check with the client you're using on direct support, as per this guide. Updating that client to one that supports TLS 1.1+ should be sufficient. 

   

  Thanks,

  Jon

  0

  Comment actions Permalink
• 

  rockstheparty

  • December 04, 2018 13:35

  For 3rd party integrations using the box-ios-sdk, what (if anything) do we need to do to ensure we are compliant? There is no mention of it in the documentation here: https://developer.box.com/docs/tls-1

  0

  Comment actions Permalink
• 

  jcleblanc

  • December 13, 2018 15:39

  Hi ,

   

  I believe that iOS version 5.0 or later supports TLS 1.1/1.2 out of the box. As long as you're not on an old version there should be no changes that are needed with the iOS SDK.

   

  - Jon

  0

  Comment actions Permalink
• 

  iancrew

  • December 19, 2018 07:46

  As a Box Admin, is there any way for me to generate a report showing which non-TLS-1.2-compliant apps are being used to connect to our Box enterprise, and which users are using those apps?

   

  Thanks,

   

  Ian

  0

  Comment actions Permalink
• 

  jcleblanc

  • December 19, 2018 09:56

  Hi ,

   

  For the impacted apps, not directly within the admin reports, but there are a few options:

  1. We will be generating reports of the impacted apps and will send out regular comms to the developer, support, and admin contacts for those apps. The next report is slated for early January, and they will be on a regular monthly cadence after that. Once we get closer to the May 13th date those will increase in frequency.
  2. If you contact Box support they should be able to tell you which applications are sending non-compliant requests, if any.

  For the users, I believe you may be able to extract that through:

  1. The user activity report. Under the "Details" column you'll see entries such as "Service: ###". For app specific traffic that ### will be your app name, and the action / user that took the action will be in the "User" column.
  2. The platform activity report. This will be a bit more drawn out, but the "App Name" column will give you the name of the app, then the "Value" column will add in the user ID of a user if they took the action. Those user IDs can then be looked up for additional information via the Postman collection, CLI, or APIs. 

  Contacting Box support is also definitely a direct way of ascertaining that data. 

   

  Thanks,

  Jon 

  0

  Comment actions Permalink

Please sign in to leave a comment.