Shopify is Deprecating its Support of TLS 1.0 and 1.1

Ryan
Shopify Staff
Shopify Staff
497 42 117

Update June 1st 5:10pm EDT

Update; We will be extending the deadline, TLS 1.0 and 1.1 should be able to connect again.  I will share more information when I have a specific date.  However, this date will be before June 30th 2018, as that is the global deprecation date, after which you will not be PCI Compliant.

The extended deadline is June 20th, 2018. 

Hey All,

 

As part of our commitment to providing a safe and secure platform, as of May 31, 2018, Shopify will be halting support for outdated TLS 1.0 and 1.1 security protocols.

Why is Shopify making this change?

This update is being made in accordance with new regulations set by the Payment Card Industry Data Security Standard (PCI). To read the official statement from PCI on TLS 1.0, click here.

What action am I required to make?

In order for your app to continue to be function on Shopify, you will need to ensure that your applications are able to connect with our APIs using TLS 1.2. If your app only supports TLS 1.0 or 1.1, you will need to upgrade it to 1.2 by May 31st, 2018.

If you have any questions about this change, please read our Help Center page or contact apps@shopify.com

 

Thanks,

Shopify Apps Team

Ryan | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Replies 41 (41)
Jack_Lee3
Shopify Partner
63 0 1

No problem, but short notice. You might want to email partners directly on this.

Paul_Cannon
Shopify Expert
3 0 2

I'm with Jack. We will need more time to make sure our customers are compliant with this.

Johannes_Hodde
Shopify Partner
103 0 14

@Jack @Paul: There is a subscribe button in the API Changes forum. Once you're subscribed you'll receive a mail whenever there are any updates: https://ecommerce.shopify.com/c/api-announcements/t/api-announcements-forum-subscribe-to-stay-up-to-...

 

 

Ryan
Shopify Staff
Shopify Staff
497 42 117

Thanks for the feedback Jack, there is already e-mails scheduled to go out in conjuction with this post.

 

Paul, this is also being communicated to merchants, so they should be aware as well.

Ryan | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Naren1
Shopify Partner
44 0 30

@Ryan

Given the short notice, can Shopify provide a test endpoint that only supports TLS1.2 so app developers can test against it for compliance before the deadline? The test endpoint can reply back whether the connection is TLS1.2 compliant or not.

Otherwise quite a bit of scrambling will happen on the cutover date which can be avoided by allowing app developers to test ahead of time.

I think it is a fair request. Ideally the test endpoint should not require any api permissions to connect.

 

 

Ryan
Shopify Staff
Shopify Staff
497 42 117

HI Naren,

Thanks for the request, the team will look into the feasibility of this.  There are however plenty of tools and resources available for testing TLS 1.2 outside of the Shopify domain.

Cheers,

Ryan

Ryan | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Naren1
Shopify Partner
44 0 30

Thanks to the apps team for looking into providing a test endpoint. That would be the best option for developers to be 100% sure of compliance ahead of the deadline.

In the meantime, please share some of the tools outside of Shopify domain to test TLS 1.2 compliance that you mentioned in your reply. It will be useful for anyone following this thread.

Jayvin
Shopify Partner
284 42 85

I agress with Naren for providing a test endpoint.

Ryan
Shopify Staff
Shopify Staff
497 42 117

One great tool is https://www.ssllabs.com/ssltest/ for testing your web server.  If you prefer to run your scans locally there are great open source tools such as https://github.com/prbinu/tls-scan.  Many more are available if these don't fit your specific case, just a quick search away!

Ryan | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Naren1
Shopify Partner
44 0 30

@Ryan

You wrote on this thread  2 weeks back that the apps team is looking into providing a test api endpoint for app developers to test TLS 1.2 

Can you update us when it will be available so we can conduct our final tests against the test endpoint before the deadline end of this month

Ryan
Shopify Staff
Shopify Staff
497 42 117

Hi Naren,

The team will not be providing an endpoint to test against before the deadline.  It is recommended to check into using some of the many free tools and guides available online for free.

 

Ryan

Ryan | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

Naren1
Shopify Partner
44 0 30

thanks for letting us know. 

Ryan
Shopify Staff
Shopify Staff
497 42 117

These changes are now live.

Cheers!

Ryan | Shopify 
 - Was my reply helpful? Click Like to let me know! 
 - Was your question answered? Mark it as an Accepted Solution
 - To learn more visit the Shopify Help Center or the Shopify Blog

ClementG
Shopify Partner
660 0 140

We stopped receiving all webhooks since the change went live.

We can still call the REST API fine.

We support TLS 1.2  connection so I don't understand what's going on.

ClementG
Shopify Partner
660 0 140

Is this change impacting webhooks?

Brian_Campbell
Tourist
19 0 2

Same here; I'm running with TLS 1.2 and my webhooks stopped ariving yesterday.

ClementG
Shopify Partner
660 0 140

This post is saying HTTP webhooks will be removed on Jan 1st 2019 so I would think this is not related to this change.

https://ecommerce.shopify.com/c/api-announcements/t/http-webhooks-being-removed-509969

andrew_hawke
Shopify Partner
2 0 0

My webhooks have stopped working as well. Been fine for the last 12 months. The rest of the app (pos embedded, carrier shipping service etc) is working fine.

I ran ssllabs.com against my app and it gave me an A. It says I'm only talking on TLS1.2.

Frank17
Tourist
4 0 1

I have multiple sites with non-working webhooks too.  Also confimed that we're using TLS 1.2.