support for TLS1.1 or TLS1.2 in node proxies (required for connecting to Salesforce)

Not applicable

Salesforce recently changed their SSL requirements for clients connecting to the platform:

https://help.salesforce.com/HTViewSolution?id=000221207&language=en_US

This change caused the Apigee proxy to stop working, returning the message “To access this website, update your web browser or upgrade your operating system to support TLS 1.1 or TLS 1.2.”

I can reproduce this error locally by using java 1.6 and trireme. Works fine locally with java 1.8 and trireme or with the native nodejs app.

How can we ensure Apigee Edge uses TLS1.1 or TLS1.2 in node.js proxies when connecting to Salesforce?

Solved Solved
0 2 3,620
1 ACCEPTED SOLUTION

adas
Participant V

@Bart Geens Trireme uses Java's SSL Engine for SSL/TLS handling. Currently in our cloud we are running Java 7, and Java 7 disables TLS 1.1 and 1.2 for clients. That's the reason you see it working with Java 8. To work around this problem, you could try forcing your node.js app to set the TLS1.2. You could do something like this:

var request = require('request').defaults(
        {
                timeout: 30000,
                agentOptions: {
                        secureProtocol: 'TLSv1.2',
                }
        }
);

This would force your requests to use TLSv1.2 and should fix your issue. Let me know, if this works.

View solution in original post

2 REPLIES 2

adas
Participant V

@Bart Geens Trireme uses Java's SSL Engine for SSL/TLS handling. Currently in our cloud we are running Java 7, and Java 7 disables TLS 1.1 and 1.2 for clients. That's the reason you see it working with Java 8. To work around this problem, you could try forcing your node.js app to set the TLS1.2. You could do something like this:

var request = require('request').defaults(
        {
                timeout: 30000,
                agentOptions: {
                        secureProtocol: 'TLSv1.2',
                }
        }
);

This would force your requests to use TLSv1.2 and should fix your issue. Let me know, if this works.

I had the same problem with a common reverse proxy. I fixed it adding:

<HTTPTargetConnection>
        <Properties/>
        <SSLInfo>
            <Enabled>true</Enabled>
            <Protocols>
                <Protocol>TLSv1.1</Protocol>
                <Protocol>TLSv1.2</Protocol>
            </Protocols>
        </SSLInfo>
        <URL>https://***.salesforce.com/***/***/***/***</URL>
    </HTTPTargetConnection>