Update June 1st 5:10pm EDT
Update; We will be extending the deadline, TLS 1.0 and 1.1 should be able to connect again. I will share more information when I have a specific date. However, this date will be before June 30th 2018, as that is the global deprecation date, after which you will not be PCI Compliant.
The extended deadline is June 20th, 2018.
As part of our commitment to providing a safe and secure platform, as of May 31, 2018, Shopify will be halting support for outdated TLS 1.0 and 1.1 security protocols.
Why is Shopify making this change?
This update is being made in accordance with new regulations set by the Payment Card Industry Data Security Standard (PCI). To read the official statement from PCI on TLS 1.0, click here.
What action am I required to make?
In order for your app to continue to be function on Shopify, you will need to ensure that your applications are able to connect with our APIs using TLS 1.2. If your app only supports TLS 1.0 or 1.1, you will need to upgrade it to 1.2 by May 31st, 2018.
Shopify Apps Team
@Jack @Paul: There is a subscribe button in the API Changes forum. Once you're subscribed you'll receive a mail whenever there are any updates: https://ecommerce.shopify.com/c/api-announcements/t/api-announcements-forum-subscribe-to-stay-up-to-...
Thanks for the feedback Jack, there is already e-mails scheduled to go out in conjuction with this post.
Paul, this is also being communicated to merchants, so they should be aware as well.
Given the short notice, can Shopify provide a test endpoint that only supports TLS1.2 so app developers can test against it for compliance before the deadline? The test endpoint can reply back whether the connection is TLS1.2 compliant or not.
Otherwise quite a bit of scrambling will happen on the cutover date which can be avoided by allowing app developers to test ahead of time.
I think it is a fair request. Ideally the test endpoint should not require any api permissions to connect.
Thanks for the request, the team will look into the feasibility of this. There are however plenty of tools and resources available for testing TLS 1.2 outside of the Shopify domain.
Thanks to the apps team for looking into providing a test endpoint. That would be the best option for developers to be 100% sure of compliance ahead of the deadline.
In the meantime, please share some of the tools outside of Shopify domain to test TLS 1.2 compliance that you mentioned in your reply. It will be useful for anyone following this thread.
One great tool is https://www.ssllabs.com/ssltest/ for testing your web server. If you prefer to run your scans locally there are great open source tools such as https://github.com/prbinu/tls-scan. Many more are available if these don't fit your specific case, just a quick search away!
You wrote on this thread 2 weeks back that the apps team is looking into providing a test api endpoint for app developers to test TLS 1.2
Can you update us when it will be available so we can conduct our final tests against the test endpoint before the deadline end of this month
The team will not be providing an endpoint to test against before the deadline. It is recommended to check into using some of the many free tools and guides available online for free.
We stopped receiving all webhooks since the change went live.
We can still call the REST API fine.
We support TLS 1.2 connection so I don't understand what's going on.
This post is saying HTTP webhooks will be removed on Jan 1st 2019 so I would think this is not related to this change.
My webhooks have stopped working as well. Been fine for the last 12 months. The rest of the app (pos embedded, carrier shipping service etc) is working fine.
I ran ssllabs.com against my app and it gave me an A. It says I'm only talking on TLS1.2.