You use HTTPS to connect to Shotgun securely and HTTPS uses the TLS protocol to encrypt its connections. Older implementations of TLS (v1.0 and v1.1) have known vulnerabilities that make them no longer secure enough given modern standards. Shotgun's support for these older TLS implementations is being discontinued on May 15th, 2019. On the same date support for Toolkit cores older than v0.18.0 will be discontinued.
We will be scheduling a series of "brownouts" where we enforce TLSv1.2 for a limited time on known dates. The schedule of this series will be published shortly.
If you have tools that talk to Shotgun from software that does not support the latest version of TLS (v1.2) those tools will stop working.
Does this affect me?
Admins on hosted sites that we know are currently using TLSv1.0 or TLSv1.1 to connect to Shotgun have already been contacted via an in-app banner. If your admin was contacted via a banner, there is some software talking to your site that will stop working. Lack of a banner however is not a guarantee that your scripts will keep working. For commonly used software you can see the TLSv1.2 support matrix below to see if the versions you use will have issues.
The flowchart below outlines the process you can use to figure out how this change will impact you.
How can I test out the change?
There are three tools at your disposition.
TLS 1.2 testing end-point
We have setup an alternate URL you can use to test if your tools will be compliant with your Shotgun site, once TLSv1.2 is enforced. If you append "-tls" to your site name (e.g. mysite-tls.shotgunstudio.com) you will connect to your Shotgun site via a route that already has TLSv1.2 required. You can use this alternate URL to test the environments in your studio to verify that they will continue to work after this deprecation, but DO NOT USE THIS END-POINT in production.
You can use the following snippet to test a Shotgun connection from a Python interpreter:
api_path = "" # CHANGE THIS TO A DIRECTORY WHERE THE SHOTGUN PYTHON API IS INSTALLED
site = "" # CHANGE THIS TO YOUR SITE URL WITH "-tls" APPENDED
script = "" # CHANGE THIS TO A SCRIPT NAME ACTIVE ON YOUR SITE
key = "" # CHANGE THIS TO THE KEY FOR THE SCRIPT NAME ABOVE
sg = shotgun_api3.Shotgun(site, script, key)
print sg.find("Project", )
If the above code raises an exception then the software it is run in does not support TLSv1.2.
We will be performing a series of brownout to let clients know what they should expect when TLS 1.0 and 1.1 will be deprecated. These brownout will happen on the production environment and will impact your operations if you are not already TLS 1.2 compliant.
See Legacy TLS Protocol Brownouts for more details about the brownouts.
Legacy TLS Connections Logging
To help you identify which user and scripts are connecting to Shotgun using non TLS 1.2 protocols, we added the possibility to log every non-compliant authentication requests in the Event Entry Log.
See Identifying Legacy TLS Connections for more details about how to enable this feature.
This will affect me, what can I do to prepare?
To prevent these errors you need to upgrade the software you are using to a version that has TLSv1.2 support.
For continued Toolkit support, you should upgrade your Toolkit core to a version newer than v0.18.0. As always, we recommend upgrading to the latest release of tk-core.
More secure sounds good, can I switch over early?
Yes. Get in touch with us at firstname.lastname@example.org and we can coordinate that change.
I use Single-Sign-On (SSO). Is there anything special I need to know?
Yes, that above testing instructions will not work for you. You will need to contact email@example.com in order to get a site on which you will be allowed to test
Why are you doing this?
Shotgun has been allowing HTTPS connections via older TLS protocols that have known vulnerabilities and are no longer secure enough given modern standards. We have been maintaining this support for backward compatibility with many of the older operating systems and content creation tools that we know our clients use. As part of our push to make Shotgun as secure as possible and to meet Autodesk security requirements we can no longer maintain that support and will therefore deprecate our support for TLSv1.0 and TLSv1.1.
On the same date we will also be deprecating our support for Toolkit cores older than v0.18.0. This deprecation allows us to upgrade our app store for greater security and reliability.
What kind of errors should I expect?
If a connection is rejected due to TLS not meeting the minimum protocol requirement, the server will respond with a ResponseNotReady error, which will result in a stack trace like this in the Python API:
File "shotgun.py", line 621, in __init__ self.server_caps File "shotgun.py", line 668, in server_caps self.info()) File "shotgun.py", line 706, in info return self._call_rpc("info", None, include_auth_params=False) File "shotgun.py", line 3156, in _call_rpc self.config.api_path, encoded_payload, req_headers) File "shotgun.py", line 3297, in _make_call return self._http_request(verb, path, body, req_headers) File "shotgun.py", line 3348, in _http_request headers=headers) File "lib/httplib2/__init__.py", line 1608, in request (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey) File "/lib/httplib2/__init__.py", line 1350, in _request (response, content) = self._conn_request(conn, request_uri, method, body, headers) File "lib/httplib2/__init__.py", line 1306, in _conn_request response = conn.getresponse() File "lib/python2.7/httplib.py", line 1123, in getresponse raise ResponseNotReady()
I whitelist IP address that hosts at my studio are allowed to connect to. Will this affect me?
No, Shotgun IPs won’t change. If you restrict access using IP whitelists at your studio, no change is required. See our documentation on Shotgun's network architecture for a refresh on Shotgun set of IP addresses.
What about browsers?
Browsers have supported TLSv1.2 for a long time now. Browsers will not be affected by this change, but software that uses Shotgun's APIs may be.
I have a local install. Will this affect me?
The TLS change will not affect you, but the minimum supported Toolkit core will if you are on an old Toolkit core. The TLS requirement is a change to our network infrastructure, not a change to the Shotgun application.
Content Creation Tools TLSv1.2 Support Matrix
|Update Needed||TLSv1.2 supported with a patch or upgrade|
|No||TLSv1.2 not supported|
|N/A||Not tested or does not exist|
|RV||7.3.x+||Yes||Yes||Yes||RV 7.3.0 supports TLS 1.2 and was released on Dec. 4th, 2018.|
|Nuke / Nuke Studio||11.1v2+||Yes||Yes||Yes|
|Photoshop||2018+||Yes||N/A||Yes||Shotgun Desktop v1.5.3 (running python 2.7.14) required.|
|Flame||2019.x+||N/A||Yes||Yes||Official Flame announcement available here.|
|Mari||4.x+||Yes||Yes||N/A||4.x not released for Mac.|
This is a manual upgrade where you must re-download and re-install Shotgun Desktop.
< v1.5.3 works for Linux with the Fedora release, but not CentOS.
For linux and OSX the OS version matters.
OSX supports TLSv1.2 from 10.12 (Sierra) onward.
Linux flavors with OpenSSL v1.0.1 or later support TLSv1.2.
For more information about this or to ask questions, please send us an email at firstname.lastname@example.org