What is happening
We are beginning the transition off TLS v1.0/v1.1 with a target End of Life Support date next year, July 31, 2021. Between now and then a number of important changes will be made to the Heroku Platform, including:
- Disabling by default, TLS v1.0/v1.1 on new Private Space apps, effective June 25, 2020
- Disabling by default, TLS v1.0/v1.1 on all new Heroku apps, effective spring 2021
- Deprecate the Heroku SSL Endpoint feature. Creating new SSL Endpoints will be disabled in fall 2021 when a different option for specifying TLS 1.2+ is available
- Blocking all TLS v1.0/v.1.1 traffic on both Private Spaces and Common Runtime apps. TLS 1.2+ will be enforced beginning July 31, 2021.
- Complete migration of all SSL Endpoints to use built-in platform TLS features. Target date next year, October 2021
After July 31st, 2021 clients can only connect to Heroku apps using TLS 1.2+. Clients that only support TLS 1.0 or 1.1 won't be able to connect.
Being able to block TLS v1.0/v1.1 removes last remaining use cases for Heroku SSL Endpoints, which will also have an End of Life Support date next fall of next year.
What I need to know
We recently changed the ciphers used on all new Heroku apps deployed in Private Spaces to support only TLS v1.2, or greater (TLS v1.2+). With this change you may, if you wish, begin the migration of all existing Private Space apps to use TLS v1.2+ so that they will be unaffected when we will block all TLS v1.0/v1.1 traffic. Details on how to do this are in the Routing in Private Spaces Dev Center Article (SSL Security Section).
In spring 2021 we will make a similar change to the default ciphers for all new Heroku apps. We will also offer the ability for you to re-configure your existing Heroku apps to use TLS v1.2+. You may wish to begin migrating these apps to TLS v1.2+ at that time as well.
These updates to Heroku and Heroku Private Spaces, together with other improvements (i.e. multi-SNI support) to our Automated Certificate Manager (ACM) replaces all use cases for SSL Endpoints, and as a result, we will also End of Life SSL Endpoints following the EoL of TLS v1.0/v1.1 Support on July 31, 2021.
End of Life Schedule and Dates to Remember
|6/25/2020||Complete||All New Private Space Apps||TLS v1.2+ default|
|6/25/2020 through 7/31/2021||Complete||
||Migrate from TLS v1.0/v1.1 to v1.2+|
|Spring 2021||Planned||All New Heroku apps to use TLS v1.2+ cipher suite||TLS v1.2+ default|
|Spring 2021 through 7/31/2021||Planned||Customer reconfigurable Apps||Migrate existing apps from TLS v1.0/v1.1 to v1.2+|
|Fall 2021||Planned||Deprecate SSL Endpoints||Build in Platform function. No longer necessary.|
|June through July 2021||Planned||Automatic Migration of apps to
||Preparation for July 31 EoL|
|7/31/2021||Planned||TLS v1.0/v1.1||End of Life|
|10/30/2021||Planned||SSL Endpoints||End of Life|
If you run apps in a Private Space we ask that you change the TLS cipher on your apps to enable the
spaces-tls-salesforce cipher suite by executing the following commands:
heroku features:disable spaces-strict-tls --app your-app
heroku features:disable spaces-tls-legacy --app your-app
heroku features:disable spaces-tls-modern --app your-app
heroku features:enable spaces-tls-salesforce —app your-app
More details, as well as addition cipher suite options are described in the Routing in Private Spaces Dev Center Article. You can perform this task at any time between now and the End of Life in July 2021. Approximately 60 days in advance of that date we will begin automatically migrating all remaining apps to the
If you wish your new Private Spaces app to allow TLS v1.0/v1.1 you will have to explicitly enable it as described in the Dev Center Article. However, even these apps will be migrated to use the v1.2 ciphers when we End of Life TLS v1.0/v1.1 next July.
For Heroku apps not in Private Spaces, in spring 2021 you will receive an additional notice that you may begin to migrate your apps to use new ciphers as well.