You use HTTPS to connect to Shotgun securely and HTTPS uses the TLS protocol to encrypt its connections. Older implementations of TLS (v1.0 and v1.1) have known vulnerabilities that make them no longer secure enough given modern standards. Shotgun's support for these older TLS implementations is being discontinued on January 23rd, 2019. On the same date support for Toolkit cores older than v0.18.0 will be discontinued.
If you have tools that talk to Shotgun from software that does not support the latest version of TLS (v1.2) those tools will stop working.
Does this affect me?
Admins on hosted sites that we know are currently using TLSv1.0 or TLSv1.1 to connect to Shotgun have already been contacted via an in-app banner. If your admin was contacted via a banner, there is some software talking to your site that will stop working. Lack of a banner however is not a guarantee that your scripts will keep working. For commonly used software you can see the TLSv1.2 support matrix below to see if the versions you use will have issues.
The flowchart below outlines the process you can use to figure out how this change will impact you.
How can I test out the change?
We have setup an alternate URL you can use to connect to your Shotgun site. If you append "-tls" to your site name (e.g. mysite-tls.shotgunstudio.com) you will connect to your Shotgun site via a route that already has TLSv1.2 required. You can use this alternate URL to test the environments in your studio to verify that they will continue to work after this deprecation.
You can use the following snippet to test a Shotgun connection from a Python interpreter:
api_path = "" # CHANGE THIS TO A DIRECTORY WHERE THE SHOTGUN PYTHON API IS INSTALLED
site = "" # CHANGE THIS TO YOUR SITE URL WITH "-tls" APPENDED
script = "" # CHANGE THIS TO A SCRIPT NAME ACTIVE ON YOUR SITE
key = "" # CHANGE THIS TO THE KEY FOR THE SCRIPT NAME ABOVE
sg = shotgun_api3.Shotgun(site, script, key)
print sg.find("Project", )
If the above code raises an exception then the software it is run in does not support TLSv1.2.
This will affect me, what can I do to prepare?
To prevent these errors you need to upgrade the software you are using to a version that has TLSv1.2 support.
If it is impossible to upgrade your applications, it is possible to implement a gateway and route connections to Shotgun through it. If that gateway allows TLSv1.0 and TLSv1.1 but talks to Shotgun via TLSv1.2, then it can act as a proxy and allow your existing environments to keep working. Instructions on how to setup such a gateway are available here.
For continued Toolkit support, you should upgrade your Toolkit core to a version newer than v0.18.0. As always, we recommend upgrading to the latest release of tk-core.
More secure sounds good, can I switch over early?
Yes. Get in touch with us at email@example.com and we can coordinate that change.
I use Single-Sign-On (SSO). Is there anything special I need to know?
Yes, that above testing instructions will not work for you. You will need to contact firstname.lastname@example.org in order to get a site on which you will be allowed to test
Why are you doing this?
Shotgun has been allowing HTTPS connections via older TLS protocols that have known vulnerabilities and are no longer secure enough given modern standards. We have been maintaining this support for backward compatibility with many of the older operating systems and content creation tools that we know our clients use. As part of our push to make Shotgun as secure as possible and to meet Autodesk security requirements we can no longer maintain that support and will therefore deprecate our support for TLSv1.0 and TLSv1.1.
On the same date we will also be deprecating our support for Toolkit cores older than v0.18.0. This deprecation allows us to upgrade our app store for greater security and reliability.
How can I tell what environments will break?
If your admin(s) were contacted via an in-app banner, then there is some use of TLSv1.0 or TLSv1.1 amongst your users. Every site will be accessible via a new url with "-tls" appended to it (e.g. mysite-tls.shotgunstudio.com), when using this URL TLSv1.2 only will be allowed.
I whitelist IP address that hosts at my studio are allowed to connect to. Will this affect me?
No, Shotgun IPs won’t change. If you restrict access using IP whitelists at your studio, no change is required. See our documentation on Shotgun's network architecture for a refresh on Shotgun set of IP addresses.
What about browsers?
Browsers have supported TLSv1.2 for a long time now. Browsers will not be affected by this change, but software that uses Shotgun's APIs may be.
I have a local install. Will this affect me?
The TLS change will not affect you, but the minimum supported Toolkit core will if you are on an old Toolkit core. The TLS requirement is a change to our network infrastructure, not a change to the Shotgun application.
Content Creation Tools TLSv1.2 Support Matrix
|Update Needed||TLSv1.2 supported with a patch or upgrade|
|No||TLSv1.2 not supported|
|N/A||Not tested or does not exist|
|RV||7.3.x+||Yes||Yes||Yes||RV 7.3.0 supports TLS 1.2 and was released on Dec. 4th, 2018.|
|Nuke / Nuke Studio||11.1v2+||Yes||Yes||Yes|
|Photoshop||2018+||Yes||N/A||Yes||Shotgun Desktop v1.5.3 (running python 2.7.14) required.|
|Flame||2019.x+||N/A||Yes||Yes||Official Flame announcement available here.|
|Motion Builder||2018||No||Yes||N/A||This does not yet reflect any planned releases before Jan 23rd.|
|Mari||4.x+||Yes||Yes||N/A||4.x not released for Mac.|
This is a manual upgrade where you must re-download and re-install Shotgun Desktop.
< v1.5.3 works for Linux with the Fedora release, but not CentOS.
For more information about this or to ask questions, please send us an email at email@example.com