Retiring TLS1.0 and 1.1 - Support and Troubleshooting

Retiring TLS1.0 and 1.1 Issue ServiceNow has disabled the use of TLS 1.0 and 1.1 for inbound connections. Customers will be required to use TLS 1.2 and above for all communications with their instances. Please see below for the original timeline and the plan of action.

Impact Any services that currently rely on TLS 1.1 or older will no longer be available. The two most likely reasons ServiceNow customers see TLS 1.1 traffic or older is due to customer usage of older web browsers, older customized integrations.

Why The use of TLS 1.2 is a recommended security best practice that provides a higher degree of privacy and data integrity over previous versions and to maintain compliance with the latest industry standards.

When We are moving customers in groups, starting August all the customers who started using TLS1.2 will have changes made to their VIPs not allowing any TLS1.0/1.1 traffic further. This is done at the VIP level effecting both Prod and sub-prod same time. Service-now will complete moving all the customers by April 30th, 2020 without any exception. Will have sent notifications to customers having usage on TLS1.1 and lower protocols and work with them.

We have started updating customers to TLS 1.2 since August 2019. This is the schedule of the upcoming bulk changes:

April 14: APJ CHG8555753 April 14, 07:00 PDT | April 15, 00:00 AEST EMEA CHG8555811 April 14, 15:00 PDT | April 15 00:00 CEST AMS CHG8555827 April 14, 20:00 PDT April 29:APJ CHG8822273 April 29, 07:00 PDT | April 30, 00:00 AEST EMEA CHG8822277 April 29, 15:00 PDT | April 30 00:00AM CEST AMS: CHG8822279 April 29, 20:00 PDT Changes will not be executed during holidays for that region.

Required Action ServiceNow is monitoring customer usage of TLS 1.1 and older in our environment. If you are using anything older than TLS 1.2, you will receive notification from our Global Technical Support group. Please review this information and update any relevant services to use TLS 1.2 or higher. If you detect usage of these older protocols, please ensure that the personnel within your company are using a modern, updated web browser and review any custom integrations that your instance is using.

Open a case ticket with our Global Technical Support team with a subject of Deprecation of TLS 1.1 and 1.0 if you require assistance or further details regarding this matter.

ServiceNow encourages customers to configure their client systems to restrict traffic to only allow TLS 1.2 or higher.

If you have additional questions, please contact via the INT that is open for this purpose or reach out to ServiceNow Global Technical Support .

FAQ 1. To who is this communication directed, and what is the intent? The intention of this communication is to notify all customers that ServiceNow will stop accepting connections from any sources that use TLS 1.1 or lower versions and only be available to connect over TLS 1.2 or higher versions. You can have TLS 1.0 and TLS 1.1 in your environment for other services that do not connect to ServiceNow. ServiceNow will only use TLS 1.2 for all your browsers and 3rd party integrations.

2. When is the change going through? We want all of our customers to have the most secure version of TLS to enable more secure connections between their network and ServiceNow. We want to move all our customers to TLS 1.2 by April 30th, 2020. We will send notifications to customers using TLS1.0/1.1 to ask them to configure their browsers or 3rd party integrations to use TLS 1.2.

Please note : If you have a 3rd party vendor that is using Web Services via SOAP. Our logs do not capture the TLS version information and you would need to reach out to your vendor to confirm they support TLS 1.2.

3. Which areas are impacted on the Instance by the TLS Deprecation? ONLY incoming HTTPS traffic is affected by this change. The main source of TLS versions can be the internet browsers being used, and any integrations incoming from other systems (Rest/SOAP endpoints, MID Servers, etc) into your ServiceNow instance. If any of those are using the older TLS version and its deprecated on ServiceNow then those browsers/integrations won't be able to connect to the instance.

4. How can I track whether I'm impacted by it or not? How can ServiceNow help me with this? You can only check it internally if there are any integrations or browsers using older versions. If not, then there is no way for you to check it on the ServiceNow instance. ServiceNow is monitoring customer usage of TLS 1.1 and older in our environment. If you are using anything older than TLS 1.2, you will receive a notification from our Global Technical Support team.

5. What action do I need to take? While ServiceNow is working to identify the potentially impacted customers, please make sure that the browsers your users are using are up-to-date. Most of the industry-standard browsers (like Chrome, IE, Firefox, Safari) use up-to-date TLS versions. Have an assessment in place to have your stakeholders use up-to-date TLS versions. Reach out to your integration partners and make sure they are using TLS 1.2 or a higher version.

6. Am I supposed to deprecate TLS 1.1 or lower? Or will TLSv1.2 or above will work with older versions? No, you do not need to disable TLS 1.1 or older if you already have TLSv1.2 enabled on your browsers and integrations. However, ServiceNow will only use TLS 1.2 or higher to establish communication.

7. Why ServiceNow is enforcing TLS 1.2 The reason we are enforcing TLS 1.2 is that it is a recommended security best practice that provides a higher degree of privacy and data integrity over previous versions.

8. How to determine what types of TLS and SSL are supported momentarily? The easiest way to determine what types of TLS and SSL are supported momentarily is using a test provided on the "SSL Labs" WebSite: https://www.ssllabs.com/ssltest/analyze.html?d=support.servicenow.com

Please change the last part of the URL to the instance that you want to check.

Example:

https://www.ssllabs.com/ssltest/analyze.html?d=myproductioninstance.service-now.com https://www.ssllabs.com/ssltest/analyze.html?d=mytestinstance.service-now.com https://www.ssllabs.com/ssltest/analyze.html?d=mydevinstance.service-now.com Scroll down to Configuration , which will look similar to this:

9. Can I remove my instance from an upcoming change? Note : We will upgrade all instances by April 30th, 2020. 10. Can I rollback the TLS 1.2 update to use TLS 1.0/1.1/1.2? There is currently no rollback option anymore as we will no longer support TLS 1.0/1.1 in our infrastructure. The Technical Support team will guide you to fix forward in case of customer outage/impact.

Customer requests for an extension beyond April 30th will be denied.

11. What are the Common Errors seen after TLS 1.2 update and what should I look for in the logs? "The client and server cannot communicate, because they do not possess a common algorithm" "Could not establish secure channel for SSL/TLS with authority 'sms.service-now.com'" "Could not create SSL/TLS secure channel." "SSL negotiation failed" "The request was aborted: Could not create SSL/TLS secure channel." 12. I did not get an email about the TLS Change. When was this sent out? An email was sent out in Spring 2019 to notify you of the upcoming change starting in August 2019. Please check with the primary and secondary contacts associated with your cases, your Bulk Email folder or custom rules to see if the email was sent to another folder or archived based on your retention policy.

13. Why was a change not created or initiated? The change was created as an internal ServiceNow change for multiple customers and not an individual change for each customer.

14. Can I perform an update or rollback on the weekend? Changes are NOT executed on weekends starting Friday 3.00 PM PDT to Sunday 3.00 PM PDT

15. Can I use a Personal Developer instance to test TLS 1.2? Unfortunately, the Personal Developer instances use a shared Virtual IP address. We will not be able to perform the update on one without affecting other Personal Developer instances. PDIs have all been updated.

16. How to check which TLS version is running on your browser? By following these steps in the browser you can find out which TLS version the browser uses to communicate with the instances in Chrome:

More tools > Developer Tools > Security tab > Under security connection settings.

(example: The connection to this site is encrypted and authenticated using TLS 1.2, ECDHE_RSA with P-256, and AES_128_GCM.)

If you are running an older browser, you need to enable the browser's TLS 1.2 protocols to help with page viewing. For instructions on how to enable these protocols in your older browsers, check the list below: Microsoft Internet Explorer Open Internet Explorer From the menu bar, click Tools > Internet Options > Advanced tab Scroll down to the Security category, manually check the option box for Use TLS 1.2 Click OK Restart Internet Explorer Microsoft Edge In the Windows menu search box, type Internet options . Under Best match , click Internet Options . In the Internet Properties window, on the Advanced tab, scroll down to the Security section Check Use TLS 1.2 checkboxes. Click OK . Restart the Microsoft Edge browser. Google Chrome Press Alt + F and select Settings Scroll down and select Show advanced settings... Scroll down to the Network section and click on Change proxy settings... Select the Advanced tab Scroll down to the Security category, manually select the checkboxes for Use TLS 1.2 Click OK Restart Google Chrome Mozilla Firefox In the address bar, type about:config and press Enter In the Search field, enter tls . Find and double-click the entry for security.tls.version.min Set the integer value to 2 to force protocol of TLS 1.2 Click OK Restart Mozilla Firefox Opera Press Ctrl + F12 Scroll down to the Network section and click on Change proxy settings... Select the Advanced tab Scroll down to Security category, manually check the option box for Use TLS 1.2 Click OK Restart Opera Apple Safari There are no options for enabling SSL protocols. If you are using Safari version 7 or newer , TLS 1.1 and TLS 1.2 are automatically enabled.

Power Shell Script Add the following code to force the Invoke-WebRequest cmdlet to use TLS v 1.2.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 17. Things to consider before updating to TLS 1.2? Please ensure all of your plug-ins are updated to the latest version; for example, Password Reset application - Latest version is compatible with TLS 1.2

18. What do I do if you are not sure that your integrations or applications are impacted by the change? Please create a case for ServiceNow mentioning that your integrations are not working and our technical teams will help you out.