Shopify is Deprecating its Support of TLS 1.0 and 1.1

Shopify Staff
Shopify Staff
469 36 95

Update June 1st 5:10pm EDT

Update; We will be extending the deadline, TLS 1.0 and 1.1 should be able to connect again.  I will share more information when I have a specific date.  However, this date will be before June 30th 2018, as that is the global deprecation date, after which you will not be PCI Compliant.

The extended deadline is June 20th, 2018. 

Hey All,

 

As part of our commitment to providing a safe and secure platform, as of May 31, 2018, Shopify will be halting support for outdated TLS 1.0 and 1.1 security protocols.

Why is Shopify making this change?

This update is being made in accordance with new regulations set by the Payment Card Industry Data Security Standard (PCI). To read the official statement from PCI on TLS 1.0, click here.

What action am I required to make?

In order for your app to continue to be function on Shopify, you will need to ensure that your applications are able to connect with our APIs using TLS 1.2. If your app only supports TLS 1.0 or 1.1, you will need to upgrade it to 1.2 by May 31st, 2018.

If you have any questions about this change, please read our Help Center page or contact apps@shopify.com

 

Thanks,

Shopify Apps Team

Developer Experience @ Shopify
1 Like
Highlighted
Shopify Partner
43 0 0

No problem, but short notice. You might want to email partners directly on this.

0 Likes
Highlighted
Shopify Expert
3 0 2

I'm with Jack. We will need more time to make sure our customers are compliant with this.

1 Like
Highlighted
Shopify Partner
100 0 12

@Jack @Paul: There is a subscribe button in the API Changes forum. Once you're subscribed you'll receive a mail whenever there are any updates: https://ecommerce.shopify.com/c/api-announcements/t/api-announcements-forum-subscribe-to-stay-up-to-...

 

 

0 Likes
Highlighted
Shopify Staff
Shopify Staff
469 36 95

Thanks for the feedback Jack, there is already e-mails scheduled to go out in conjuction with this post.

 

Paul, this is also being communicated to merchants, so they should be aware as well.

Developer Experience @ Shopify
0 Likes
Highlighted
Shopify Partner
41 0 28

@Ryan

Given the short notice, can Shopify provide a test endpoint that only supports TLS1.2 so app developers can test against it for compliance before the deadline? The test endpoint can reply back whether the connection is TLS1.2 compliant or not.

Otherwise quite a bit of scrambling will happen on the cutover date which can be avoided by allowing app developers to test ahead of time.

I think it is a fair request. Ideally the test endpoint should not require any api permissions to connect.

 

 

5 Likes
Highlighted
Shopify Staff
Shopify Staff
469 36 95

HI Naren,

Thanks for the request, the team will look into the feasibility of this.  There are however plenty of tools and resources available for testing TLS 1.2 outside of the Shopify domain.

Cheers,

Ryan

Developer Experience @ Shopify
0 Likes
Highlighted
Shopify Partner
41 0 28

Thanks to the apps team for looking into providing a test endpoint. That would be the best option for developers to be 100% sure of compliance ahead of the deadline.

In the meantime, please share some of the tools outside of Shopify domain to test TLS 1.2 compliance that you mentioned in your reply. It will be useful for anyone following this thread.

0 Likes
Highlighted
Shopify Partner
24 0 4

I agress with Naren for providing a test endpoint.

0 Likes
Highlighted
Shopify Staff
Shopify Staff
469 36 95

One great tool is https://www.ssllabs.com/ssltest/ for testing your web server.  If you prefer to run your scans locally there are great open source tools such as https://github.com/prbinu/tls-scan.  Many more are available if these don't fit your specific case, just a quick search away!

Developer Experience @ Shopify
0 Likes