B2C Servicepublic

Customer Portal

Get Involved. Join the Conversation.

This is a public Forum  public

Topic

    Willie Eide
    TLS 1.0 Announcement - Informing Your End Users
    Topic posted September 29, 2016 by Willie EideGold Trophy: 10,000+ Points, last edited February 21, 2017 
    12258 Views, 62 Comments
    Title:
    TLS 1.0 Announcement - Informing Your End Users
    Content:

    Announcement:

    With the upcoming disablement of TLS 1.0 protocol for Oracle Service Cloud (see CX Answer https://cx.rightnow.com/app/answers/detail/a_id/8576) this change, depending on your end user’s browser, may result in them receiving an error message stating that the browser they are currently using needs to support at least TLS 1.1.



    This, in the very basic form, would be confusing to most end users especially during a time when they are accessing your support site for a means to solve a particular issue. If your end users do not upgrade their browser, they will not be able to access your customer portal pages.



    The code snippet below works for CPv3 users. We are currently looking at solutions for CPv2 users.



    Therefore, the Customer Portal development team proposes that starting immediately, you modify customer/development/views/ templates/standard.php and place this code snippet (found below) at the bottom of the template file. This is needed in order to proactively address this situation before it becomes an issue. 



     



    DISCLAIMER: THE CODE SNIPPET IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. THIS CODE IS NOT SUPPORTED BY ORACLE WHEREAS TECHNICAL SUPPORT IS NOT RESPONSIBLE FOR ENSURING IT WORKS ON YOUR MACHINE.



     



    Background:

    TLS 1.0 protocol is known to be vulnerable to attacks and is widely considered to be an obsolete encryption method. Aside from Oracle, The Payment Card Industry Security Standards Council (PCI SSC) and the National Institute of Standards and Technology (NIST)  recommends transitioning from SSL and TLS 1.0 to a secure version of  TLS (currently v1.1 or higher).



    Additional information about TLS can be found under the "General Product Discussion" forum at https://cloudcustomerconnect.oracle.com/posts/302950cd55



    Support for TLS protocol version 1.0 will be disabled in the Oracle Service Cloud production environments on the following dates:

    - PCI Environment: on January 31st, 2017.

    - Non PCI Environment: on May 2 - June 20th, 2017*.



    *TLS 1.0 will be shut down in Non PCI environments on a phased approach starting May 2nd and ending on June 20th, 2017.  All Customer Administrators will be individually notified on the specific date when their site(s) will be disabled from TLS 1.0 protocol.

    Version:
    All versions of Customer Portal
    Code Snippet:

    Comment

    • Kim Dante

      Added this code to standard PHP in development and it does nothing to my CP pages.  What am I missing?

       

    • Willie Eide

      Are you looking at it in development mode? Have you pushed your page to staging/production?

    • Kim Dante

      I am looking in development.  I have not pushed to prod yet.  Does this message only show if you have an older browser?

    • Willie Eide

      Oh. Yeah. That is true. I was assuming that your browser was not compliant.
      It will only display the banner if you do not have the capability to have TLS 1.1 or above
      See my attached image for more details
       

      62500tls.png (120KB)
    • Ryan Schofield

      I need some help getting this to work. Does it matter where in the php file I put the code? I tried at the end of the header and at the end of the body. I also tried IE and modified the settings to only use TLS 1.0. I was viewing my site in development area. Nothing happens differently.

    • Willie Eide

      Seems to be a number of questions about this.
      I am going to head back to the drawing board and check out a new site and apply the changes per the instructions above as I have them written to make sure I didn't forget a step or two. 

    • Frankie Bolanos

      Is there an update to this?  What file do you recommend I put this into?

    • Kim Dante

      Thanks,  I tested with tls1.0 only browser and saw the message on the top of the screen.

    • Willie Eide
      Ryan Schofield said:

      I need some help getting this to work. Does it matter where in the php file I put the code? I tried at the end of the header and at the end of the body. I also tried IE and modified the settings to only use TLS 1.0. I was viewing my site in development area. Nothing happens differently.

      View original

      Ryan,
      There are many places where you can place the code snippet. I just completed an example where I placed it at the end of my standard.php file below the </body> tag and above the </html> tag. I then unchecked TLS 1.1 and 1.2 on the Internet Options Advanced tab and reloaded my page (in development mode) and saw the banner located at the top of the page. 

      If you are not able to get this to work, feel free to send me a PM with a screenshot. Thank you.

    • Marcus Zoeller

      Willie, can you expand on what will happen after the shut-off date? You say:

      ...may result in them receiving a blank page or possibly an error message stating that the browser they are currently using needs to support at least TLS 1.1.

      Is there anything we can do to at least give some message to the enduser? Have you had the opportunity to test a site where TLS 1.0 support has already been shut off?

    • Willie Eide

      Yes. There is something that we can do - take the code snippet that is provided in the original post and add it where I had specified (standard.php). If you do this today, then the next 2 (or 6 months depending on if you are hosted on a PCI environment) your users that do not have a compliant browser will be reminded to upgrade/update as necessary. 

      If for whatever reason your end-user does not upgrade/update or if they hit your site after the TLS change happened, then they will likely see this attached message which will direct them to make adjustments to their browser and reload the page. 

      We are simply trying to be proactive in getting the word out about TLS 1.0 and promoting the upgrade/update.

      62519TLS_response.png (56KB)
    • Norbert

      Hello,

      I was able to test this piece code and it is working. Here is how I did the test (in detail if needed).

      • open IE (I have used IE11)
      • on top right corner click on gear icon
      • select internet options
      • in the pop-up window, select advanced tab
      • scroll the list of option till you reach Security section and search for TLS
      • unselect all except TLS1.0 (be sure it is selected and only this one)
      • apply your changes
      • now go to your web site where the piece of code from Willie has been implemented. For me I have added between </BODY> and </HTML>
      • Once you will reach the page you should have a single line on top of the page with red font saying  "Your browser lacks certain basic security requirements, You should upgrade your browser to the latest version."

      Be sure to revert your configuration in IE and unselect TLS 1.0

      For me the message is useless for any user (even for me, we should have something more detailed on what's going on), it does not explain what is the problem and further more if someone will reach the web site after TLS1.0 has been disabled he will find a potential blank page so no explanation at all on what's going on. This is weird.

      We are also checking but we may have customers with company configuration that are still using TLS1.0 (old application not compatible with newer browser) and may require their IT to re-image all systems... I hope this will not be the case

      Hope this helps

      Regards

      Norbert

    • Ryan Schofield

      I've got it working now. Changing the location of the script to between </BODY> and </HTML> worked.

      A new question: it appears the code is checking for TLS <1.2, yet the point of this is that TLS 1.0 is being depracated. So technically TLS 1.1 is still supported, right? I figure it's easy enough to change it to check TLS <1.1 but wondering why that wasn't done initially.

    • Willie Eide

      Good catch. I have no answer as to why its checking for < 1.2 as opposed to < 1.1
      Code snippet changed.

    • CKirby

      I have added the above code between the </body> and </html> in the \euf\development\views\templates file.  Unchecked Use TLS 1.1 and Use TLS 1.2 in IE 11.  Logged into the Development Area and the message does not appear.  What have I missed?

    community forum