Notifications

10059 views

Description

ServiceNow is deprecating the use of TLS 1.0 and 1.1. Customers will be required to use TLS 1.2 and above for all communications with their instances.

Impact

Any services that currently rely on TLS 1.1 or older will no longer be available. The two most likely reasons ServiceNow customers see TLS 1.1 traffic or older is due to customer usage of older web browsers, older customized integrations.

Why

Use of TLS 1.2 is a recommended security best practice that provides a higher degree of privacy and data integrity over previous versions and to maintain compliance with the latest industry standards.

When 

We are moving customers in groups, by August 1st all the customers who started using TLS1.2 will have changes made to their VIPs not allowing any TLS1.0/1.1 traffic further. This is done at VIP level effecting both Prod and sub-prod same time. While few customers have exceptions and not want to go on August 1st will be scheduled by end of August. Like  wise we want to complete moving all the customers by end of September 2019 without any exception. Will send notifications to customers having usage on TLS1.1 and lower protocols and work with them.

Required Action

ServiceNow is monitoring customer usage of TLS 1.1 and older in our environment. If you are using anything older than TLS 1.2, you will receive notification from our Customer Support Operations group. Please review this information and update any relevant services to use TLS 1.2 or higher. If you detect usage of these older protocols, please ensure that the personnel within your company are using a modern, updated web browser and review any custom integrations that your instance is using.

Open a case ticket with our Customer Support team with a subject of Deprecation of TLS 1.1 and 1.0 if you require assistance or further details regarding this matter.

ServiceNow encourages customers to configure their client systems to restrict traffic to only allow TLS 1.2 or higher.

If you have additional questions, please contact ServiceNow Global Technical Support team at http://www.servicenow.com/support/contact-support.html.

 

FAQ

1. To whom is this Communication Directed to? And what is the intent?

The intention of this communication is to notify all customers that ServiceNow would stop accepting connections from any sources that use TLS 1.1 or lower versions and only be available to connect over TLS 1.2 or higher versions. 

2. When is the change going through?

We want to move all customers away from TLS1.0/1.1 protocols by the end of September 2019. We will send notifications to customers having usage on these protocols and schedule their instances to disable TLS1.0/1.1 protocols.

3. What all areas are impacted on the Instance by the TLS Deprecation?

The main source of TLS versions can be the internet browsers your users use and any integrations (Rest endpoints, Mail Servers, MID Servers, etc) into your ServiceNow instance. If any of those are using older TLS version and its deprecated on ServiceNow then those browsers/integrations won't be able to connect to the instance.

4. How can customers track whether they are impacted by it or not? How can ServiceNow help on the same?

The customer can only check it internally if there are any integrations or browsers using older versions if not then there is no way for the customer to check the same on the ServiceNow instance. ServiceNow is monitoring customer usage of TLS 1.1 and older in our environment. If you are using anything older than TLS 1.2, you will receive a notification from our Customer Support Operations.

5. What action do customers need to take?

While ServiceNow is working to identify the potentially impacted customers, please make sure that the browsers your users are using are up-to-date. Most of the industry standard browsers (like Chrome, IE, Firefox, Safari) use up-to-date TLS versions. Have an assessment in place to have your stakeholders use up-to-date TLS versions. Reach out to your integration partners and make sure they are using TLS 1.2 or a higher version.

6. Is customer supposed to deprecate TLS 1.1 or lower? Or will TLSv1.2 or above will work with older versions?

No, do not need to disable TLS 1.1 or older if you already have TLSv1.2 enabled on your browsers and integrations. However, ServiceNow will only use TLS 1.2 or higher to establish communication.

7. Why ServiceNow is enforcing TLS 1.2?

The reason we are enforcing TLS 1.2 is that it is a recommended security best practice that provides a higher degree of privacy and data integrity over previous versions.

8. How to determine what types of TLS and SSL are supported momentarily?

The easiest way to determine what types of TLS and SSL are supported momentarily is using a test provided on the "SSL Labs" WebSite:
https://www.ssllabs.com/ssltest/analyze.html?d=hi.service-now.com&latest 

9. How to check what TLS version is running on your browser?

By following the below steps in the browser we can find out with what TLS version the browser is communicating with the instances in Chrome. 

More tools->Developer Tools->security tab -> Under security connection settings.

(example: The connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_RSA with P-256, and AES_128_GCM.)

  • If you are running an older browser, you need to enable the browser's TLS 1.2 protocols to help with page viewing. For instructions on how to enable these protocols in your older browsers, check the list below:

Microsoft Internet Explorer

  1. Open Internet Explorer
  2. From the menu bar, click Tools > Internet Options > Advanced tab
  3. Scroll down to the Security category, manually check the option box for Use TLS 1.2
  4. Click OK
  5. Restart Internet Explorer

Microsoft Edge

  1. In the Windows menu search box, type Internet options.
  2. Under Best match, click Internet Options.
  3. In the Internet Properties window, on the Advanced tab, scroll down to the Security section
  4. Check Use TLS 1.2 checkboxes.
  5. Click OK.
  6. Restart the Microsoft Edge browser.

Google Chrome

  1. Press Alt + F and select Settings
  2. Scroll down and select Show advanced settings...
  3. Scroll down to the Network section and click on Change proxy settings...
  4. Select the Advanced tab
  5. Scroll down to the Security category, manually select the check boxes for Use TLS 1.2
  6. Click OK
  7. Restart Google Chrome

Mozilla Firefox

  1. In the address bar, type about:config and press Enter
  2. In the Search field, enter tls. Find and double-click the entry for security.tls.version.min
  3. Set the integer value to 2 to force protocol of TLS 1.2
  4. Click OK
  5. Restart Mozilla Firefox

Opera

  1. Press Ctrl + F12
  2. Scroll down to the Network section and click on Change proxy settings...
  3. Select the Advanced tab
  4. Scroll down to Security category, manually check the option box for Use TLS 1.2
  5. Click OK
  6. Restart Opera


Apple Safari

There are no options for enabling SSL protocols. If you are using Safari version 7 or newer, TLS 1.1 and TLS 1.2 are automatically enabled.

 

 

Article Information

Last Updated:2019-07-10 12:05:30
Published:2019-07-10