Breaking up with TLS 1.0, and How to Handle it

In order to maintain security standards, Salesforce will be breaking up with (i.e. disabling) the TLS 1.0 encryption protocol from being used, and will only allow TLS 1.1 and/or 1.2. Any experienced admin knows that it’s best to review your system earlier rather than later and, while this change won’t be official until 2017, it’s recommended that you start reviewing your system now to prep for this update.

There are 3 different channels that require encryption to access Salesforce:
1. Internet browsers
2. API (inbound) integrations
3. Call-out (outbound) integrations

Internet Browsers

For Internet browsers, your users will experience issues accessing Salesforce if you or they are using non-supported browsers. To test your browser compatibility, click the following link:

If you’re able to view this test site without errors, your access to Salesforce via browser shouldn’t be impacted by this change.

API Integrations

API integrations are interfaces or applications that are separate from Salesforce, but use Salesforce data. A few examples of such are as follows:
• Marketing automation software
• Third-party emailing systems
• Billing software
• DBAmp

If you currently have, or are in the process of setting up, any API integrations, you’ll need to ensure that the TLS 1.1 and/or TLS 1.2 encryption protocols are enabled in those integrations. Details on testing those integrations and reviewing their compatibility can be found here:


Call-outs are integrations where Salesforce refers to an outside source to either verify login credentials, push data, or pull data. Examples of call-outs include:
• Delegated Authentication Single-Sign-On (SSO)
• Outbound messaging
• Apex call-outs

If you use call-out integrations, you will need to ensure that TLS 1.1 and/or TLS 1.2 are enabled in those integrations. A way to test this TLS 1.1 and TLS 1.2 compatibility is to use the Qualsys SSL Labs test site at (if your https endpoints are publicly accessible). In the test results, ensure that TLS 1.1 and/or TLS 1.2 support is reported as working properly.

Furthermore, if you’re using Salesforce for Outlook, you will need to upgrade your version of Salesforce for Outlook to version 3.0.0 (which will be available from early 2016), confirm that your/users’ browsers are compatible, and that all users are moved off from Microsoft Windows Vista.

Lastly, if using the Dataloader, you will need to download the newest Spring ’16 version.

If any of these components turn out to be incompatible, you can refer to the following link to a Salesforce help article that details how to update the components’ settings: