One of our focus areas is continuing to protect your data online. At Xero we take data security extremely seriously, and want to make sure you’re protected.
To further strengthen the security of your sensitive financial data, we’ll be ceasing support for older web browsers using TLS 1.0 from 31 May 2018.
You’ll need to make sure you’re on the latest version of the browser you’re using. Use this handy browser check tool or refer here for details about the WorkflowMax supported browsers.In addition, from 30 June 2018 we will be deprecating the use of TLS 1.0 for any application communicating to any Xero API product including the WorkflowMax API.
After this date, all applications communicating with Xero products must use TLS 1.1 or above. We recommend applications upgrade to TLS 1.2 as the WorkflowMax API already has support for this.
If you’re using one of our add-ons or our general WorkflowMax API to connect an application to your WorkflowMax account then keep reading for the full details.
What do you need to do?
An upgrade to TLS 1.1 or TLS 1.2 requires changes to the application to support the newer versions of TLS. What you’re required to do depends on whether you are using the application, own the source code or use a 3rd party library / connector to communicate with the WorkflowMax API.
If you own the application source
Did you build an application which is listed on our website as an add-on? The listing appears in the “add on” section of the Application settings and customers can generate their own keys.
As identified above, the app is generally the instigator of communication with WorkflowMax. When communication is established, a negotiation between security and encryption supported by both the client and server occurs during the initial phase. For the most part this negotiation is buried deep inside the libraries, frameworks and networking of operating systems that your applications rely on.
While the libraries, frameworks and networking can provide the ability to use the newer versions of TLS, their baseline may default to using the older version (TLS 1.0 in this case) and need to have small code changes in order to support the more recent versions of TLS 1.1 and TLS 1.2.
In order to support these newer versions of TLS, upgrades may be required to entire libraries and frameworks and deployment of an existing app. Please review the Q & A section below as it may provide additional resources and information to reduce the amount of effort required.
If you connect to WorkflowMax using the standard generic WorkflowMax API key.
There are a number of private applications that connect to WorkflowMax. These solutions may be bespoke systems written by custom integrators, in-house developers or third party solutions which only connect using the private WorkflowMax API key. Additionally, you may be connecting using this general key to an unapproved or unsupported integration.
In both cases, it is important that you make the original developer aware of the WorkflowMax changes to TLS requirements as soon as possible. Unfortunately, WorkflowMax may not have been able to get in contact to the original developer directly as they may have developed their solution without requiring any assistance from WorkflowMax.
If you or your company are using a WorkflowMax account and are unsure whether you have any applications which are connecting to WorkflowMax, you can see these under in your WorkflowMax account, under Business -> Settings -> General Settings -> Add-ons. If you are in doubt, you can also send a request to email@example.com along with your WorkflowMax account name.
Why we’re changing
There are a number of technical drivers for change, but the primary ones are:
- Vulnerabilities in TLS 1.0 - While Xero uses two layers of data encryption, at the transport and presentation layers, there are no fixes or patches that are able to address the underlying vulnerabilities with one of these security mechanisms. These vulnerabilities were addressed in TLS 1.1
- PCI-DSS compliance - We are a subscription service and integrate with payment aggregation providers which handle our customers credit cards. Our acquiring banks require that we comply with PCI-DSS in order to facilitate secure billing of our customers.
- Operating System, Development tools and Browser Support - While the Xero API’s are unaffected by the underlying transport layer, the operating systems, development tools/libraries and browsers have also needed to support TLS 1.1 and more recently TLS 1.2. Xero’s API infrastructure has supported TLS 1.0/TLS 1.1/TLS 1.2 for quite some time, but because communication is usually instigated from the app partner connecting and negotiated from the connection request, the app must be modified to support the higher version of TLS.
Impact of the change to WorkflowMax API
WorkflowMax will be completely deprecating TLS 1.0 for API connections on 30th June 2018, with no extension possible. This might impact every app which connects to the WorkflowMax so you’ll need to confirm your app still works after this change.
For most applications, upgrading from TLS 1.0 will require upgrading both the underlying framework or libraries that the application relies on. While not mandatory, we recommend any applications that require upgrading from TLS1.0, move to TLS 1.2.
As discussed in this document on our Xero developer blog, to support TLS 1.2, changes to the operating system or runtime environment are required. The following are known to support TLS 1.2, however these are guidelines and the reader will need to validate the required changes:
- OpenSSL v1.01,
- JDK v7 onwards,
- .Net Framework 3.5.1 onwards (.Net 4.5 natively supported TLS1.2, and Microsoft released a package to support TLS 1.2 in 3.5.1, available here).
- Windows 7 onwards
- Windows Server 2008 R2 onwards
- Most common Linux distributions rely on OpenSSL
Q. Will I need to Recertify my Application with Xero (XPM) or WorkflowMax?
We do not require you to recertify your application if you are already a certified app partner.
Q. I have a partner application already but need a development partner application to make these changes without disrupting customers. Can I have a dev partner app?
You’ll need to contact support to get a new API key instead
Q. I’m using a community Xero SDK, will these be upgraded to support TLS 1.1 or TLS 1.2. ?
You may take the community SDKs and upgrade them to support the newer TLS versions and use them in your application or assist the community by submitting your changes for all who will use the community SDKs in future.
Q. Can Xero help me upgrade my code?
Your local Developer Evangelists are able to provide high level assistance, but unfortunately are not able to write code for you.
Q. Are there additional ways I can get assistance?
Xero has created a community page on Xero for developers to ask questions about TLS 1.0 deprecation. This community page will allow developers, both from the Xero and WFM API teams and external to Xero to share knowledge and learnings in a collaborative way.
If you still require some further details on what is required, please contact your local Developer Evangelist in your region or email firstname.lastname@example.org who will be able to assist.
The information above is relevant for WorkflowMax’s private, public or partner apps. If you’re a Xero subscriber, please refer to the information on the Xero blog.**