Hi,
We are trying to build the IVR to call Salesforce WS using TLS 1.1. I have added the parameter

-Dhttps.protocols=TLSv1.1,TLSv1.2

to the script but it showed me an error.

No WS response - IOException

UNSUPPORTED_CLIENT: TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https.

The following command shows that the parameter is added when tomcat is started:

ps aux | grep java

The output is

/opt/java7/bin/java 

-Djava.util.logging.config.file=/usr/local/apache-tomcat-7.0.54/conf/logging.properties 

-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager 

-XX:MaxPermSize=256M 

-Dhttps.protocols=TLSv1.1,TLSv1.2

-Djava.endorsed.dirs=/usr/local/apache-tomcat-7.0.54/endorsed 

-classpath /usr/local/apache-tomcat-7.0.54/bin/bootstrap.jar:/usr/local/apache-tomcat-7.0.54/bin/tomcat-juli.jar 

-Dcatalina.base=/usr/local/apache-tomcat-7.0.54 

-Dcatalina.home=/usr/local/apache-tomcat-7.0.54 

-Djava.io.tmpdir=/usr/local/apache-tomcat-7.0.54/temp

org.apache.catalina.startup.Bootstrap start

The environment is Oracle Java 7, Tomcat 7, and OD 7.0.

Thanks for helping.

Best regards,

Chia-Shen

You are talking about outbound connection to Salesforce using Java on Tomcat. You really need to talk to Salesfoce on this one.

Hi,

We wants to know what is needs to be configured in the IVR application server. Salesforece has disabled TLS 1.0 and we need to enable TLS 1.1 or higher on the IVR side.

Thanks.

Best regards,
Chia-Shen

The application server is just a regular Tomcat running OD application. We don't need any particular configuration. You are merely calling the Salesforce app from Tomcat using Java with generic configurations. You would be able get information from Salesforce about doing this. One thing I know about TLS is you probably need Java 7 or above. You can go from here.

The problem here is that Java7 starts with a "ClientHello, TLSv1", which ends in an handshake failure as e.g. SalesFore did not longer support this version. All JAVA properties like -Dhttps.protocols and others did not change that behaviour.

The only option with JAVA7 is to configure the SSLContext with TSLv1.1, as I have done in my own code:

SSLContext context = SSLContext.getInstance("TLSv1.1");

context.init(null,null,null);

httpClient = HttpClientBuilder.create().setDefaultRequestConfig(config).setSslcontext(context).build();

This will end up in a "ClientHello, TLSv1.1" under Java 7 and work with SalesForce.


The question for me is now, can the SSLContext for the OD Rest anywhere overwritten to prevent creating an own REST implementation. If possible - how?

Thanks,
Lothar

You can change the system protocol via code or configuration, and OD REST will use it.