TLS v1.0/v1.1 End Of Life Schedule

What is happening

We are beginning the transition off TLS v1.0/v1.1 with a target End of Life Support date next year, July 31, 2021. Between now and then a number of important changes will be made to the Heroku Platform, including:

  1. Disabling by default, TLS v1.0/v1.1 on new Private Space apps, effective June 25, 2020
  2. Disabling by default, TLS v1.0/v1.1 on all new Heroku apps, effective spring 2021
  3. Deprecate the Heroku SSL Endpoint feature. Creating new SSL Endpoints will be disabled in fall 2021 when a different option for specifying TLS 1.2+ is available
  4. Blocking all TLS v1.0/v.1.1 traffic on both Private Spaces and Common Runtime apps. TLS 1.2+ will be enforced beginning July 31, 2021.
  5. Complete migration of all SSL Endpoints to use built-in platform TLS features. Target date next year, October 2021

After July 31st, 2021 clients can only connect to Heroku apps using TLS 1.2+. Clients that only support TLS 1.0 or 1.1 won't be able to connect.

Being able to block TLS v1.0/v1.1 removes last remaining use cases for Heroku SSL Endpoints, which will also have an End of Life Support date next fall of next year.

What I need to know

We recently changed the ciphers used on all new Heroku apps deployed in Private Spaces to support only TLS v1.2, or greater (TLS v1.2+). With this change you may, if you wish, begin the migration of all existing Private Space apps to use TLS v1.2+ so that they will be unaffected when we will block all TLS v1.0/v1.1 traffic. Details on how to do this are in the Routing in Private Spaces Dev Center Article (SSL Security Section).

In spring 2021 we will make a similar change to the default ciphers for all new Heroku apps. We will also offer the ability for you to re-configure your existing Heroku apps to use TLS v1.2+. You may wish to begin migrating these apps to TLS v1.2+ at that time as well.

These updates to Heroku and Heroku Private Spaces, together with other improvements (i.e. multi-SNI support) to our Automated Certificate Manager (ACM) replaces all use cases for SSL Endpoints, and as a result, we will also End of Life SSL Endpoints following the EoL of TLS v1.0/v1.1 Support on July 31, 2021.

End of Life Schedule and Dates to Remember

Target Date Status Feature/Offering Notes/Comments
6/25/2020 Complete All New Private Space Apps TLS v1.2+ default
6/25/2020 through 7/31/2021 Complete spaces-tls-salesforce cipher suite available Migrate from TLS v1.0/v1.1 to v1.2+
Spring 2021 Planned All New Heroku apps to use TLS v1.2+ cipher suite TLS v1.2+ default
Spring 2021 through 7/31/2021 Planned Customer reconfigurable Apps Migrate existing apps from TLS v1.0/v1.1 to v1.2+
Fall 2021 Planned Deprecate SSL Endpoints Build in Platform function. No longer necessary.
June through July 2021 Planned Automatic Migration of apps to spaces-tls-salesforce cipher suite Preparation for July 31 EoL
7/31/2021 Planned TLS v1.0/v1.1 End of Life
10/30/2021 Planned SSL Endpoints End of Life

If you run apps in a Private Space we ask that you change the TLS cipher on your apps to enable the spaces-tls-salesforce cipher suite by executing the following commands:

heroku features:disable spaces-strict-tls --app your-app
heroku features:disable spaces-tls-legacy --app your-app
heroku features:disable spaces-tls-modern --app your-app
heroku features:enable spaces-tls-salesforce —app your-app

More details, as well as addition cipher suite options are described in the Routing in Private Spaces Dev Center Article. You can perform this task at any time between now and the End of Life in July 2021. Approximately 60 days in advance of that date we will begin automatically migrating all remaining apps to the spaces-tls-salesforce ciphers.

If you wish your new Private Spaces app to allow TLS v1.0/v1.1 you will have to explicitly enable it as described in the Dev Center Article. However, even these apps will be migrated to use the v1.2 ciphers when we End of Life TLS v1.0/v1.1 next July.

For Heroku apps not in Private Spaces, in spring 2021 you will receive an additional notice that you may begin to migrate your apps to use new ciphers as well.

Ask on Stack Overflow

Engage with a community of passionate experts to get the answers you need

Ask on Stack Overflow

Heroku Support

Create a support ticket and our support experts will get back to you

Contact Heroku Support