How should developers address TLS/SSL configuration issues in external endpoints?
Answer
To address TLS/SSL configuration issues in external endpoints:
**For Third-Party Endpoints You Cannot Control:**
- Contact the third-party provider and request them to upgrade their TLS version to a secure version, such as TLS 1.2 or higher
- If the provider cannot make the necessary changes, document the issue and include it in a false positive document with proper justification for the security review
**Platform Enforcement:**
- Apex callouts to endpoints that also support older TLS versions are not considered a vulnerability if the platform enforces TLS 1.2, as the platform ensures secure communication
**Application-Level Requirements:**
- TLS version requirements can be enforced at the application level for external endpoints in the AppExchange security review
- The review mandates the use of TLS v1.2 or higher for external endpoints
- Exceptions may be granted for endpoints not controlled by the partner, such as those from third-party services like Google or Slack, as long as an action plan is in place
How should developers address TLS/SSL configuration issues in external endpoints?
Recommended Answer Update
To address TLS/SSL configuration issues in external endpoints:
**For Third-Party Endpoints You Cannot Control:**
- Contact the third-party provider and request they upgrade their TLS version to a secure version, such as TLS 1.2 or higher
- If the provider can't make the necessary changes, document the issue and include it in a false positive document with proper justification for the security review
**Platform Enforcement:**
- Apex callouts to endpoints that also support older TLS versions aren't considered a vulnerability if the platform enforces TLS 1.2, as the platform ensures secure communication
**Application-Level Requirements:**
- TLS version requirements can be enforced at the application level for external endpoints in the AppExchange security review
- The review mandates the use of TLS v1.2 or higher for external endpoints
- Exceptions may be granted for endpoints not controlled by the partner, such as those from third-party services like Google or Slack, as long as an action plan is in place
Reasoning
Made minor improvements to tone and clarity by making the language more conversational (using contractions like 'can't' and 'aren't') and more direct, which aligns with the brand guidelines. Removed the category/subcategory lines as they appear to be metadata rather than part of the answer content. The content itself remains accurate and doesn't conflict with any security rules.
The related security rules are highly relevant to this FAQ:
1. **ApexInsecureEndpoint** - This rule directly relates to the FAQ's core topic of addressing insecure endpoints. The FAQ discusses ensuring TLS 1.2+ for external endpoints, which is exactly what this rule checks for.
2. **AvoidDisableProtocolSecurityRemoteSiteSetting** - The FAQ mentions platform enforcement of TLS security, which connects to this rule that prevents disabling protocol security in remote site settings.
3. **AvoidInsecureHttpRemoteSiteSetting** - The FAQ's emphasis on using secure TLS versions and avoiding insecure endpoints directly relates to this rule that flags insecure HTTP remote site settings.
4. **UseHttpsCallbackUrlConnectedApp** - While the FAQ focuses on general external endpoints, this rule covers the specific case of ensuring HTTPS for connected app callbacks, which is part of the broader TLS/SSL security theme the FAQ addresses.