Shopify is Deprecating its Support of TLS 1.0 and 1.1

Highlighted
Shopify Staff
Shopify Staff
257 1 63

Update June 1st 5:10pm EDT

Update; We will be extending the deadline, TLS 1.0 and 1.1 should be able to connect again.  I will share more information when I have a specific date.  However, this date will be before June 30th 2018, as that is the global deprecation date, after which you will not be PCI Compliant.

The extended deadline is June 20th, 2018. 

Hey All,

 

As part of our commitment to providing a safe and secure platform, as of May 31, 2018, Shopify will be halting support for outdated TLS 1.0 and 1.1 security protocols.

Why is Shopify making this change?

This update is being made in accordance with new regulations set by the Payment Card Industry Data Security Standard (PCI). To read the official statement from PCI on TLS 1.0, click here.

What action am I required to make?

In order for your app to continue to be function on Shopify, you will need to ensure that your applications are able to connect with our APIs using TLS 1.2. If your app only supports TLS 1.0 or 1.1, you will need to upgrade it to 1.2 by May 31st, 2018.

If you have any questions about this change, please read our Help Center page or contact apps@shopify.com

 

Thanks,

Shopify Apps Team

Developer Experience @ Shopify
1 Like
Shopify Partner
40 0 0

No problem, but short notice. You might want to email partners directly on this.

0 Likes
Shopify Partner
3 0 2

I'm with Jack. We will need more time to make sure our customers are compliant with this.

1 Like
Shopify Partner
100 0 7

@Jack @Paul: There is a subscribe button in the API Changes forum. Once you're subscribed you'll receive a mail whenever there are any updates: https://ecommerce.shopify.com/c/api-announcements/t/api-announcements-forum-subscribe-to-stay-up-to-...

 

 

0 Likes
Shopify Staff
Shopify Staff
257 1 63

Thanks for the feedback Jack, there is already e-mails scheduled to go out in conjuction with this post.

 

Paul, this is also being communicated to merchants, so they should be aware as well.

Developer Experience @ Shopify
0 Likes
Excursionist
34 0 22

@Ryan

Given the short notice, can Shopify provide a test endpoint that only supports TLS1.2 so app developers can test against it for compliance before the deadline? The test endpoint can reply back whether the connection is TLS1.2 compliant or not.

Otherwise quite a bit of scrambling will happen on the cutover date which can be avoided by allowing app developers to test ahead of time.

I think it is a fair request. Ideally the test endpoint should not require any api permissions to connect.

 

 

5 Likes
Shopify Staff
Shopify Staff
257 1 63

HI Naren,

Thanks for the request, the team will look into the feasibility of this.  There are however plenty of tools and resources available for testing TLS 1.2 outside of the Shopify domain.

Cheers,

Ryan

Developer Experience @ Shopify
0 Likes
Excursionist
34 0 22

Thanks to the apps team for looking into providing a test endpoint. That would be the best option for developers to be 100% sure of compliance ahead of the deadline.

In the meantime, please share some of the tools outside of Shopify domain to test TLS 1.2 compliance that you mentioned in your reply. It will be useful for anyone following this thread.

0 Likes
Tourist
25 0 3

I agress with Naren for providing a test endpoint.

0 Likes
Shopify Staff
Shopify Staff
257 1 63

One great tool is https://www.ssllabs.com/ssltest/ for testing your web server.  If you prefer to run your scans locally there are great open source tools such as https://github.com/prbinu/tls-scan.  Many more are available if these don't fit your specific case, just a quick search away!

Developer Experience @ Shopify
0 Likes