function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion
Jeff RogersJeff Rogers 

Call Out Error - SSLv3

I'm developing a custom integration between Salesforce and RegOnline (call outs from SF to the RegOnline APIs to get data). Unfortunately it looks like I have a problem. I'm getting the following error message:

System.CalloutException: IO Exception: Server chose SSLv3, but that protocol version is not enabled or not supported by the client.

This looks related to SF recently disabling the use of SSLv3. Is this error from SF still trying to use SSLv3 and the Regonline API has SSLv3 disabled (or the other way around)?

Any ideas for a resolution/work around?

Thanks!
Best Answer chosen by Jeff Rogers
Gaurav KheterpalGaurav Kheterpal
Hi Jeff,

This (https://developer.salesforce.com/forums/ForumsMain?id=906F0000000AmTZ) thread provides a lot of detail related to the transition made by Salesforce to stop support for SSLv3 and switch to TLS. I would recommend a couple of things

A) Raise a support case with Salesforce to confirm if the problem is at their end
B) Trying out an intermediate proxy such as this one - https://github.com/Rob--W/cors-anywhere which can accept a SSLv3 connection and then make a TLS callout to the destination.

If my answer helps resolve your query, please mark it as the 'Best Answer' & upvote it to benefit others and improve the overall quality of Discussion Forums.

Gaurav Kheterpal
Certified Force.com Developer| Salesforce Mobile Evangelist| Developer Forums Moderator| Dreamforce Speaker
 

All Answers

Gaurav KheterpalGaurav Kheterpal
Salesforce disabled SSLv3 in December last year. The preferred encryption mechanisms are TLS 1.0 and higher. Specifically

For inbound requests: TLS 1.0, and TLS 1.2

For outbound requests: TLS 1.0

You can read more about it here (https://help.salesforce.com/apex/HTViewSolution?urlname=Salesforce-disabling-SSL-3-0-encryption).

I would recommend you check with RegOnline if their APIs support TLS.

If my answer helps resolve your query, please mark it as the 'Best Answer' & upvote it to benefit others and improve the overall quality of Discussion Forums.

Gaurav Kheterpal
Certified Force.com Developer| Salesforce Mobile Evangelist| Developer Forums Moderator| Dreamforce Speaker
Jeff RogersJeff Rogers
Gaurav,

Thank you for the reply!

Here's a response from RegOnline:

"We are compatible with SSL and TLS. However, we only support TLS 1.1 from a web browser perspective and TLS 1.0 for External Authentication. "

It appears that SF uses TLS 1.0 for outbound calls (per the doc you referenced) and RegOnline states they support TLS 1.0 for External Authentication. Apparently, one of two is trying to use SSLv3. Which side of the communication is setting the encryption?

This one is confusing!
Gaurav KheterpalGaurav Kheterpal
Hi Jeff,

This (https://developer.salesforce.com/forums/ForumsMain?id=906F0000000AmTZ) thread provides a lot of detail related to the transition made by Salesforce to stop support for SSLv3 and switch to TLS. I would recommend a couple of things

A) Raise a support case with Salesforce to confirm if the problem is at their end
B) Trying out an intermediate proxy such as this one - https://github.com/Rob--W/cors-anywhere which can accept a SSLv3 connection and then make a TLS callout to the destination.

If my answer helps resolve your query, please mark it as the 'Best Answer' & upvote it to benefit others and improve the overall quality of Discussion Forums.

Gaurav Kheterpal
Certified Force.com Developer| Salesforce Mobile Evangelist| Developer Forums Moderator| Dreamforce Speaker
 
This was selected as the best answer
Jeff RogersJeff Rogers
Response from Salesforce support:

"In case of callouts from salesforce, salesforce acts as a client. So as per the exception message, the endpoint is expecting the client (salesforce) to use SSLv3.

To resolve this issue, you have to re-configure your server to use TLS 1.0 protocol."

So, it looks like the problem is on RegOnline's end. They stated they support TLS 1.0, but apprently there is an issue. They're escalating the issue to their dev team.

Thanks again!