Sage CRM 2020 R2: Transport Layer Security support

Security related work has taken much of the effort in the development cycle for Sage CRM 2020 R2. One of the important changes has been to ensure that Sage CRM will keep running is TLS 1.1 is 'switched off' or 'blocked' within either browser, the network components or within the operating system of the servers themselves.

The Transport Layer Security (TLS) protocol is the successor of SSL and is the foundation of HTTPS, the protocol used to encrypt communications between websites and end-users. TLS is also used for securing other transmission protocols, such as POP3S, IMAPS and SMTPS, which are used for sending and receiving emails.

The original TLS 1.0 was first published in January 1999. TLS 1.1 arrived in 2006 and TLS 1.2, in 2008.

The background to this is that the Internet Engineering Task Force (IETF) announced that it no longer recommends the use of older TLS versions. In response to this Apple, Google, Microsoft, and Mozilla have announced a unified plan to start the deprecation of the use of TLS 1.0 and 1.1 early in 2020.

Different dates have been announced for different browsers and components and COVID 19 has delayed the implementation of some changes but there’s a consensus that only 1.2 should be supported. Beyond the browser companies other software and infrastructure providers are also ending support for TLS 1.1. This will impact Microsoft Exchange and other service providers.

Sage CRM ended support for TLS 1.0 in Sage CRM 2018 R2. Sage has ensured that Sage CRM 2020 R2 is not dependent on TLS 1.1 and in at the end of May 2020 Sage also released a series of patches to ensure that versions of Sage CRM that will be in support after September 2020 will be fully compliant with TLS 1.2

This has meant all versions of Sage CRM 2018 R1 onwards have a patch available. Please see:

Sage CRM uses TLS throughout the product where ever web transactions are made - so this effects Exchange and Outlook integration, The REST and SOAP APIs, the Mobile interface, email integration and synchronization with the mobile apps - everywhere - and TLS is an evolving standard.

We didn't look at the creep disabling of TLS 1.1. We didn't look at what will happen if Chrome blocks TLS 1.1 or what if Outlook blocks 1.1 - we just tested by making sure that all our integration points could keep working if TLS 1.1 was universally blocked. For example we don't know what Microsoft will do about the use of TLS 1.1 within Windows and what they will do with windows patches. We don't know what different AV companies will do about blocking TLS 1.1 so the only thing we could do was switch off TLS 1.1 completely and make sure all Sage CRM uses was TLS 1.2.