What is happening
We are beginning the transition off TLS v1.0/v1.1 with a target End of Life Support date next year, July 31, 2021. Between now and then a number of important changes will be made to the Heroku Platform, including:
- Disabling by default, TLS v1.0/v1.1 on new Private Space apps, effective June 25, 2020
- Disabling by default, TLS v1.0/v1.1 on all new Heroku apps, effective later this year, 2020
- Deprecate the Heroku SSL Endpoint feature. No new SSL Endpoints created after 12/31/20
- Blocking all TLS v1.0/v.1.1 traffic on Private Spaces. Target date next year, July 31, 2021
- Blocking all TLS v1.0/v.1.1 traffic on all Heroku apps. Target date next year, July 31, 2021
- Complete migration of all SSL Endpoints to use built-in platform TLS features. Target date next year, July 31, 2021
The effect of disabling by default is that TLS v1.0/v1.1 requests will be blocked from reaching your application.
Being able to block TLS v1.0/v1.1 removes last remaining use cases for Heroku SSL Endpoints, which will also have an End of Life Support date next year, July 31, 2021.
What I need to know
We recently changed the ciphers used on all new Heroku apps deployed in Private Spaces to support only TLS v1.2, or greater (TLS v1.2+). With this change you may, if you wish, begin the migration of all existing Private Space apps to use TLS v1.2+ so that they will be unaffected when we will block all TLS v1.0/v1.1 traffic. Details on how to do this are in the Routing in Private Spaces Dev Center Article (SSL Security Section).
Later this year we will make a similar change to the default ciphers for all new Heroku apps. We will also offer the ability for you to re-configure your existing Heroku apps to use TLS v1.2+. You may wish to begin migrating these apps to TLS v1.2+ at that time as well.
These updates to Heroku and Heroku Private Spaces, together with other improvements (i.e. multi-SNI support) to our Automated Certificate Manager (ACM) replaces all use cases for SSL Endpoints, and as a result, we will also End of Life SSL Endpoints concurrent with the EoL of TLS v1.0/v1.1 Support on July 31, 2021. No new SSL Endpoints may be created after December 31, 2020.
End of Life Schedule and Dates to Remember
|6/25/2020||Complete||All New Private Space Apps||TLS v1.2+ default|
|6/25/2020 through 7/31/2021||In Progress||
||Migrate from TLS v1.0/v1.1 to v1.2+|
|Late 2020||Planned||All New Heroku apps to use TLS v1.2+ cipher suite||TLS v1.2+ default|
|Late 2020 through 7/31/2021||Planned||Customer reconfigurable Apps||Migrate existing apps from TLS v1.0/v1.1 to v1.2+|
|Jan 2021||Planned||Deprecate SSL Endpoints||Build in Platform function. No longer necessary.|
|June through July 2021||Planned||Automatic Migration of apps to
||Preparation for July 31 EoL|
|7/31/2021||Planned||TLS v1.0/v1.1||End of Life|
|7/31/2021||Planned||SSL Endpoints||End of Life|
If you run apps in a Private Space we ask that you change the TLS cipher on your apps to enable the
spaces-tls-salesforce cipher suite by executing the following commands:
heroku features:disable spaces-strict-tls --app your-app
heroku features:disable spaces-tls-legacy --app your-app
heroku features:disable spaces-tls-modern --app your-app
heroku features:disable spaces-tls-strict --app your-app
heroku features:enable spaces-tls-salesforce —app your-app
More details, as well as addition cipher suite options are described in the Routing in Private Spaces Dev Center Article. You can perform this task at any time between now and the End of Life in July 2021. Approximately 60 days in advance of that date we will begin automatically migrating all remaining apps to the
If you wish your new Private Spaces app to allow TLS v1.0/v1.1 you will have to explicitly enable it as described in the Dev Center Article. However, even these apps will be migrated to use the v1.2 ciphers when we End of Life TLS v1.0/v1.1 next July.
For Heroku apps not in Private Spaces, later in 2020 you will receive an additional notice that you may begin to migrate your apps to use new ciphers as well.
For apps with old clients that only support TLS v1.0/v1.1, an upcoming Knowledge Base article will provide details on how to configure an SSL proxy so they can continue to access your apps.