For partners that build or integrate commercially available applications and service solutions with the Oracle Cloud Platform
For partners that provide implementation or managed services around Oracle Cloud Applications
Announcement:
With the upcoming disablement of TLS 1.0 protocol for Oracle Service Cloud (see CX Answer https://cx.rightnow.com/app/answers/detail/a_id/8576) this change, depending on your end user’s browser, may result in them receiving an error message stating that the browser they are currently using needs to support at least TLS 1.1.
This, in the very basic form, would be confusing to most end users especially during a time when they are accessing your support site for a means to solve a particular issue. If your end users do not upgrade their browser, they will not be able to access your customer portal pages.
The code snippet below works for CPv3 users. We are currently looking at solutions for CPv2 users.
Therefore, the Customer Portal development team proposes that starting immediately, you modify customer/development/views/ templates/standard.php and place this code snippet (found below) at the bottom of the template file. This is needed in order to proactively address this situation before it becomes an issue.
DISCLAIMER: THE CODE SNIPPET IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. THIS CODE IS NOT SUPPORTED BY ORACLE WHEREAS TECHNICAL SUPPORT IS NOT RESPONSIBLE FOR ENSURING IT WORKS ON YOUR MACHINE.
Background:
TLS 1.0 protocol is known to be vulnerable to attacks and is widely considered to be an obsolete encryption method. Aside from Oracle, The Payment Card Industry Security Standards Council (PCI SSC) and the National Institute of Standards and Technology (NIST) recommends transitioning from SSL and TLS 1.0 to a secure version of TLS (currently v1.1 or higher).
Additional information about TLS can be found under the "General Product Discussion" forum at https://cloudcustomerconnect.oracle.com/posts/302950cd55
Support for TLS protocol version 1.0 will be disabled in the Oracle Service Cloud production environments on the following dates:
- PCI Environment: on January 31st, 2017.
- Non PCI Environment: on May 2 - June 20th, 2017*.
*TLS 1.0 will be shut down in Non PCI environments on a phased approach starting May 2nd and ending on June 20th, 2017. All Customer Administrators will be individually notified on the specific date when their site(s) will be disabled from TLS 1.0 protocol.
Comment
Added this code to standard PHP in development and it does nothing to my CP pages. What am I missing?
Average Rating:



2 ratings
|
Sign in to rate this
Are you looking at it in development mode? Have you pushed your page to staging/production?
Average Rating:



1 rating
|
Sign in to rate this
I am looking in development. I have not pushed to prod yet. Does this message only show if you have an older browser?
Average Rating:



1 rating
|
Sign in to rate this
Oh. Yeah. That is true. I was assuming that your browser was not compliant.
It will only display the banner if you do not have the capability to have TLS 1.1 or above
See my attached image for more details
Average Rating:



1 rating
|
Sign in to rate this
I need some help getting this to work. Does it matter where in the php file I put the code? I tried at the end of the header and at the end of the body. I also tried IE and modified the settings to only use TLS 1.0. I was viewing my site in development area. Nothing happens differently.
Average Rating:



1 rating
|
Sign in to rate this
Seems to be a number of questions about this.
I am going to head back to the drawing board and check out a new site and apply the changes per the instructions above as I have them written to make sure I didn't forget a step or two.
Average Rating:



1 rating
|
Sign in to rate this
Is there an update to this? What file do you recommend I put this into?
Average Rating:



1 rating
|
Sign in to rate this
Thanks, I tested with tls1.0 only browser and saw the message on the top of the screen.
Average Rating:



1 rating
|
Sign in to rate this
Ryan,
There are many places where you can place the code snippet. I just completed an example where I placed it at the end of my standard.php file below the </body> tag and above the </html> tag. I then unchecked TLS 1.1 and 1.2 on the Internet Options Advanced tab and reloaded my page (in development mode) and saw the banner located at the top of the page.
If you are not able to get this to work, feel free to send me a PM with a screenshot. Thank you.
Average Rating:



1 rating
|
Sign in to rate this
Willie, can you expand on what will happen after the shut-off date? You say:
Is there anything we can do to at least give some message to the enduser? Have you had the opportunity to test a site where TLS 1.0 support has already been shut off?
Average Rating:



1 rating
|
Sign in to rate this
Yes. There is something that we can do - take the code snippet that is provided in the original post and add it where I had specified (standard.php). If you do this today, then the next 2 (or 6 months depending on if you are hosted on a PCI environment) your users that do not have a compliant browser will be reminded to upgrade/update as necessary.
If for whatever reason your end-user does not upgrade/update or if they hit your site after the TLS change happened, then they will likely see this attached message which will direct them to make adjustments to their browser and reload the page.
We are simply trying to be proactive in getting the word out about TLS 1.0 and promoting the upgrade/update.
Average Rating:



2 ratings
|
Sign in to rate this
Hello,
I was able to test this piece code and it is working. Here is how I did the test (in detail if needed).
Be sure to revert your configuration in IE and unselect TLS 1.0
For me the message is useless for any user (even for me, we should have something more detailed on what's going on), it does not explain what is the problem and further more if someone will reach the web site after TLS1.0 has been disabled he will find a potential blank page so no explanation at all on what's going on. This is weird.
We are also checking but we may have customers with company configuration that are still using TLS1.0 (old application not compatible with newer browser) and may require their IT to re-image all systems... I hope this will not be the case
Hope this helps
Regards
Norbert
Average Rating:



5 ratings
|
Sign in to rate this
I've got it working now. Changing the location of the script to between </BODY> and </HTML> worked.
A new question: it appears the code is checking for TLS <1.2, yet the point of this is that TLS 1.0 is being depracated. So technically TLS 1.1 is still supported, right? I figure it's easy enough to change it to check TLS <1.1 but wondering why that wasn't done initially.
Average Rating:



1 rating
|
Sign in to rate this
Good catch. I have no answer as to why its checking for < 1.2 as opposed to < 1.1
Code snippet changed.
Average Rating:



1 rating
|
Sign in to rate this
I have added the above code between the </body> and </html> in the \euf\development\views\templates file. Unchecked Use TLS 1.1 and Use TLS 1.2 in IE 11. Logged into the Development Area and the message does not appear. What have I missed?
Average Rating:



2 ratings
|
Sign in to rate this