SoapClient TLS

[aaronbauman]

Does SforceBaseClient need to be updated in light of POODLE vulnerability and Salesforce dropping SSL support?

I cannot find any good resource on how to instantiate PHP SoapClient to use only TLS instead of SSL.

[metadaddy]

Salesforce will disable SSL 3.0 according to this schedule. After that time, the SoapClient will negotiate TLS and never use SSL3; in the meantime, the only way I'm aware of to force TLS with PHP SoapClient works with PHP 5.5 and above. You can pass the relevant option to createConnection like this:

$mySforceConnection->createConnection("partner.wsdl", null, array('ssl_method' => SOAP_SSL_METHOD_TLS));

[ryanhuff]

Pat, Salesforce's communication regarding POODLE has been terrible. Maybe you can shed some light. That article refers to turning of SSLv3 for incoming calls. But it doesn't say anything about outgoing web service calls. Vendors like stripe are already blocking SSLv3 connections for new accounts and will turn it off entirely on Nov 15. There's been no communication about how Salesforce is handling this. Can you clarify?

Sent using Cirrus Insight Mobile(http://www2.cirrusinsight.com/mobile-appstore)

On Nov 4, 2014, at 4:59 PM, "Pat Patterson" notifications@github.com wrote:

Salesforce will disable SSL 3.0 according to this schedule(https://help.salesforce.com/apex/HTViewSolution?urlname=Salesforce-disabling-SSL-3-0-encryption&language=en_US); in the meantime, the only way I'm aware of to force TLS with PHP SoapClient works with PHP 5.5 and above. You can pass the relevant option to createConnection like this:

$mySforceConnection->createConnection("partner.wsdl", null, array('ssl_method' => SOAP_SSL_METHOD_TLS));

— Reply to this email directly or view it on GitHub(https://github.com/developerforce/Force.com-Toolkit-for-PHP/issues/35#issuecomment-61743422).

[jithendraKoduru]

Hi Pat, so my understanding is that we don't have to upgrade or install a new version of PHP force.com tool kit and the existing SoapClient will automatically switch over to TLS after salesforce disables SSL 3.0. Please correct me if my understanding is wrong.

[aaronbauman]

I set up a simple PHP SoapServer script on a machine running apache TLS-only in order to test this hypothesis, and confirmed that PHP SoapClient works seamlessly on HTTPS / TLS under PHP 5.2

This is to say nothing of forcing TLS from the client instantiation side, but for Salesforce API purposes the cutover in November is sufficient for me.

[metadaddy]

@ryanhuff I completely understand your frustrations. We (developer relations) are preparing a blog post that will explain the situation in much more detail than previous communications, which have been more user/admin focused. Watch for it at https://developer.salesforce.com/blogs/

@jithendraKoduru You are correct.

@aaronbauman Thanks for the confirmation. I tested the ssl_method option and it looks like it does restrict the protocol negotiation to TLS.

[jithendraKoduru]

Hi Pat, Now that Salesforce would be disabling TLS1.0 in 2016, would the SoapClient in PHP developer tool kit automatically negotiate TLS1.1 or higher, when making inbound calls to Salesforce, or do we have to upgrade the toolkit.

[metadaddy]

@jithendraKoduru Yes - the TLS negotiation is a feature of PHP/OpenSSL, not directly under the control of the toolkit. If your PHP deployment currently supports TLS1.1, then I'm pretty sure it's already negotiating 1.1 in preference to 1.0, and will continue to run unchanged when we turn off 1.0.

You can use phpinfo to see what version of OpenSSL PHP is using, and from there figure out whether it has TLS1.1:

phpinfo.php:

<?php
phpinfo();
?>

Example output (in curl section):

SSL Version OpenSSL/1.0.1q

You'll need OpenSSL 1.0.1 or higher for TLS1.1.

[albertocubeddu]

Seems that is not automatic updating. I will have a debug tomorrow and If I find a solution I gonna post here :)

[MeuhMeuh]

@albertocubeddu any update ? :)