d
Topic
Ryan O Shopify Employee
Posts:
233
Last edited 6 months ago
g
1
upvotes

Shopify is Deprecating its Support of TLS 1.0 and 1.1

Update June 1st 5:10pm EDT

Update; We will be extending the deadline, TLS 1.0 and 1.1 should be able to connect again.  I will share more information when I have a specific date.  However, this date will be before June 30th 2018, as that is the global deprecation date, after which you will not be PCI Compliant.

The extended deadline is June 20th, 2018. 

Hey All,

 

As part of our commitment to providing a safe and secure platform, as of May 31, 2018, Shopify will be halting support for outdated TLS 1.0 and 1.1 security protocols.

Why is Shopify making this change?

This update is being made in accordance with new regulations set by the Payment Card Industry Data Security Standard (PCI). To read the official statement from PCI on TLS 1.0, click here.

What action am I required to make?

In order for your app to continue to be function on Shopify, you will need to ensure that your applications are able to connect with our APIs using TLS 1.2. If your app only supports TLS 1.0 or 1.1, you will need to upgrade it to 1.2 by May 31st, 2018.

If you have any questions about this change, please read our Help Center page or contact apps@shopify.com

 

Thanks,

Shopify Apps Team

i
Replies
Posts:
40
7 months ago

No problem, but short notice. You might want to email partners directly on this.

Posts:
2
7 months ago
g
1
upvotes

I'm with Jack. We will need more time to make sure our customers are compliant with this.

Posts:
100
7 months ago

@Jack @Paul: There is a subscribe button in the API Changes forum. Once you're subscribed you'll receive a mail whenever there are any updates: https://ecommerce.shopify.com/c/api-announcements/t/api-announcements-forum-subscribe-to-stay-up-to-date-about-the-api-186201

 

 

Ryan O Shopify Employee
Posts:
233
Last edited 7 months ago

Thanks for the feedback Jack, there is already e-mails scheduled to go out in conjuction with this post.

 

Paul, this is also being communicated to merchants, so they should be aware as well.

Naren Member
Posts:
32
7 months ago
g
5

@Ryan

Given the short notice, can Shopify provide a test endpoint that only supports TLS1.2 so app developers can test against it for compliance before the deadline? The test endpoint can reply back whether the connection is TLS1.2 compliant or not.

Otherwise quite a bit of scrambling will happen on the cutover date which can be avoided by allowing app developers to test ahead of time.

I think it is a fair request. Ideally the test endpoint should not require any api permissions to connect.

 

 

Ryan O Shopify Employee
Posts:
233
7 months ago

HI Naren,

Thanks for the request, the team will look into the feasibility of this.  There are however plenty of tools and resources available for testing TLS 1.2 outside of the Shopify domain.

Cheers,

Ryan

Naren Member
Posts:
32
7 months ago

Thanks to the apps team for looking into providing a test endpoint. That would be the best option for developers to be 100% sure of compliance ahead of the deadline.

In the meantime, please share some of the tools outside of Shopify domain to test TLS 1.2 compliance that you mentioned in your reply. It will be useful for anyone following this thread.

Ryan O Shopify Employee
Posts:
233
7 months ago

One great tool is https://www.ssllabs.com/ssltest/ for testing your web server.  If you prefer to run your scans locally there are great open source tools such as https://github.com/prbinu/tls-scan.  Many more are available if these don't fit your specific case, just a quick search away!

Naren Member
Posts:
32
7 months ago

@Ryan

You wrote on this thread  2 weeks back that the apps team is looking into providing a test api endpoint for app developers to test TLS 1.2 

Can you update us when it will be available so we can conduct our final tests against the test endpoint before the deadline end of this month

Ryan O Shopify Employee
Posts:
233
7 months ago

Hi Naren,

The team will not be providing an endpoint to test against before the deadline.  It is recommended to check into using some of the many free tools and guides available online for free.

 

Ryan

Naren Member
Posts:
32
Last edited 7 months ago
g
1
upvotes

thanks for letting us know. 

Ryan O Shopify Employee
Posts:
233
6 months ago

These changes are now live.

Cheers!

Posts:
618
6 months ago

We stopped receiving all webhooks since the change went live.

We can still call the REST API fine.

We support TLS 1.2  connection so I don't understand what's going on.

Posts:
618
6 months ago

Is this change impacting webhooks?

Posts:
19
6 months ago

Same here; I'm running with TLS 1.2 and my webhooks stopped ariving yesterday.

Posts:
618
6 months ago

This post is saying HTTP webhooks will be removed on Jan 1st 2019 so I would think this is not related to this change.

https://ecommerce.shopify.com/c/api-announcements/t/http-webhooks-being-removed-509969

Posts:
1
6 months ago

My webhooks have stopped working as well. Been fine for the last 12 months. The rest of the app (pos embedded, carrier shipping service etc) is working fine.

I ran ssllabs.com against my app and it gave me an A. It says I'm only talking on TLS1.2.

Frank Member
Posts:
4
6 months ago

I have multiple sites with non-working webhooks too.  Also confimed that we're using TLS 1.2.

Ryan O Shopify Employee
Posts:
233
6 months ago

Looking into this.

Posts:
14
6 months ago

Same here.. webhooks have stopped working (already converted all to HTTPS)..

 

Posts:
1
6 months ago

Using TLS1.2 and all webhooks failing here. What is being wrong here? Lots of helpdesk calls from our customers unfortunately. Please let us know what to do.

Ryan O Shopify Employee
Posts:
233
6 months ago

Quick update: Webhook issues are unrelated to TLS changes.  We are actively working on a fix!

Posts:
14
6 months ago

Are all webhooks still intact  just not firing?

Ryan O Shopify Employee
Posts:
233
Last edited 6 months ago
g
1
upvotes

The webhooks are intact, the delivery is just failing.  Once the delivery issue is resolved they should continue the normal webhook retry logic over the next few days.

 

Posts:
14
6 months ago

Thank you Ryan.

Joel Aiken Member
Posts:
3
6 months ago

It is now June 1st 3:45PM Eastern time.

My API's requests have been failing since 12:35PM  on 5-31-18  and are still failing now

My WebHooks stopped working at 10:23 PM 5-31-18   and start working again at 11:00 AM 6-1-18

I need the API request to work.  Nothing wrong with my server. 

Joel Aiken   

 

Ryan O Shopify Employee
Posts:
233
6 months ago

Webhook issue was unrelated and has been fixed.

TLS deprecation would deny any API requests made using TLS 1.0 or 1.1.

 

If you are still having issues after fixing these, please reach out to support.

Ryan O Shopify Employee
Posts:
233
6 months ago
g
1
upvotes

Update; We will be extending the deadline, TLS 1.0 and 1.1 should be able to connect again.  I will share more information when I have a specific date.  However, this date will be before June 30th 2018, as that is the global deprecation date, after which you will not be PCI Compliant.

Posts:
31
6 months ago
g
1
upvotes

Hi Ryan,

Just spent the last 30 hours figuring out what to say to all the merchants using our app who were relying on the app for their ad campaigns. After many hours of reading log files and hours of debugging I realized the TLS deprecation was causing our app to be broken.

So, I checked my emails to understand how I could have missed this.

All I have is an email from March 5th "Shopify is deprecating its support of TLS 1.0 and 1.1".

I missed it or failed to understand the importance of it from the title. Is it correct to say only one email was sent out about this breaking change? An email that is not marked as important. An email that does not indicate in its title that it concerns a breaking change with very large impact?  

I also wonder why no follow up emails were sent (I don't see any in my mailbox, did I miss those?). It would have been super helpful to those app developers who were not yet compliant.

Finally, when you introduce this type of change and you're unable (which I don't think is the case here) to rule out that partners have missed it, could you at least inform your support team? I contacted them as soon as the problem hit and they had no clue what was causing the API calls to fail. If they had been aware of the deprecation and the impact it could have that could have saved me and my merchants a lot of money and frustration.

It would be very much appreciated if important updates like that would be better communicated to app developers. How about a clear warning message in the partner dashboard? Its unlikely a partner will miss messages in the dashboard, we use it all the time. On the other hand, we all get hundreds of emails per day, sometimes we miss some. It's quite frustrating when a partner's business is hurt because they missed one email among thousands.

Best regards,

Bart

Kanika Member
Posts:
6
6 months ago

Hi Ryan, Thank you for extending the deadline.

My app-url was TLS 1.2 compliant (as tested on ssllabs), but still most of the functionality stopped after your change and started again after you reverted the changes. So meanwhile we just want to make changes and verify the actual reason that affected the functionality. So could you suggest some means to verify the compliance of our website with these changes before you actually go Live with them; such that my website will be prepared for your changes.

Kanika

Ryan O Shopify Employee
Posts:
233
6 months ago

Thanks for the feedback everyone.  The extended deadline is June 20th, 2018. 

Posts:
86
Last edited 6 months ago
g
1
upvotes

Hey guys,

Just thought I'd share a site here for testing whether your app supports TLS 1.2: https://www.howsmyssl.com/s/api.html

They have an endpoint where you make a GET request to and it will return your TLS version in the response.

If you're using Python, you can run the code samples here with the `requests` package or the built-in `urllib` module: https://www.calazan.com/how-to-check-if-your-python-app-supports-tls-12/

Hope that helps!

Kanika Member
Posts:
6
6 months ago

Hi, It's 20th June.

Are these Changes LIVE now?

Ryan O Shopify Employee
Posts:
233
6 months ago

Yes they are.

Kanika Member
Posts:
6
6 months ago

Thanks for the confirmation, Ryan.

Yo Member
Posts:
11
5 months ago

Hello,

We are using mobile buy sdk version 2.0.0 for android. The app has stopped working on some mobile phones. It cannot retrieve products.Has anyone fixed it ?

Posts:
38
Last edited 5 months ago

My old code

$orders = json_decode(file_get_contents('https://user:pass@shop.myshopify.com/admin/orders.json'), true);

now throws this error:

Warning: file_get_contents(): SSL: Connection reset by peer in /xxx/scripts/xxx.php on line 20

Warning: file_get_contents(): Failed to enable crypto in /xxx/scripts/xxx.php on line 20

Warning: file_get_contents(https://...@shop.myshopify.com/admin/orders.json): failed to open stream: operation failed in ...

Could this update be the cause? If yes, how can I fix it?

Freelance developer – http://tomkeysers.be
Ryan O Shopify Employee
Posts:
233
5 months ago
g
1
upvotes

Seems likely.  You would want to make sure you update any libraries to use the latest TLS 1.2 compatible versions.  Also if you are running it from a server, it should be configured to expect TLS 1.2.

Posts:
38
5 months ago

Thanks for your help, Ryan O!

It turned out that the environment of my host was configured to use an old – not TLS1.2 compatible – Openssl library. Changed that and it's working again!

Freelance developer – http://tomkeysers.be
yusef Member
Posts:
16
2 months ago

We have been facing this issue from last 3,4 months and still webhooks are failed and removed.

Now we start getting this error randomly for API requests.

 

Ssl thumb