Insecure HTTPS and Old Toolkit Core Deprecation - May 15th, 2019

Overview

You use HTTPS to connect to Shotgun securely and HTTPS uses the TLS protocol to encrypt its connections. Older implementations of TLS (v1.0 and v1.1) have known vulnerabilities that make them no longer secure enough given modern standards. Shotgun's support for these older TLS implementations is being discontinued on May 15th, 2019. On the same date support for Toolkit cores older than v0.18.0 will be discontinued.

We will be scheduling a series of "brownouts" where we enforce TLSv1.2 for a limited time on known dates. The schedule of this series will be published shortly.

If you have tools that talk to Shotgun from software that does not support the latest version of TLS (v1.2) those tools will stop working.

Does this affect me?

Admins on hosted sites that we know are currently using TLSv1.0 or TLSv1.1 to connect to Shotgun have already been contacted via an in-app banner. If your admin was contacted via a banner, there is some software talking to your site that will stop working. Lack of a banner however is not a guarantee that your scripts will keep working. For commonly used software you can see the TLSv1.2 support matrix below to see if the versions you use will have issues.

The flowchart below outlines the process you can use to figure out how this change will impact you.

TLS_Diagram.png

How can I test out the change?

There are three tools at your disposition.

TLS 1.2 testing end-point

We have setup an alternate URL you can use to test if your tools will be compliant with your Shotgun site, once TLSv1.2 is enforced. If you append "-tls" to your site name (e.g. mysite-tls.shotgunstudio.com) you will connect to your Shotgun site via a route that already has TLSv1.2 required. You can use this alternate URL to test the environments in your studio to verify that they will continue to work after this deprecation, but DO NOT USE THIS END-POINT in production.

You can use the following snippet to test a Shotgun connection from a Python interpreter:

api_path = "" # CHANGE THIS TO A DIRECTORY WHERE THE SHOTGUN PYTHON API IS INSTALLED
site = "" # CHANGE THIS TO YOUR SITE URL WITH "-tls" APPENDED
script = "" # CHANGE THIS TO A SCRIPT NAME ACTIVE ON YOUR SITE
key = "" # CHANGE THIS TO THE KEY FOR THE SCRIPT NAME ABOVE

import sys
sys.path.append(api_path)
import shotgun_api3

sg = shotgun_api3.Shotgun(site, script, key)
print sg.find("Project", [])

  If the above code raises an exception then the software it is run in does not support TLSv1.2.

Brownouts

We will be performing a series of brownout to let clients know what they should expect when TLS 1.0 and 1.1 will be deprecated. These brownout will happen on the production environment and will impact your operations if you are not already TLS 1.2 compliant.

See Legacy TLS Protocol Brownouts for more details about the brownouts.

Legacy TLS Connections Logging

To help you identify which user and scripts are connecting to Shotgun using non TLS 1.2 protocols, we added the possibility to log every non-compliant authentication requests in the Event Entry Log.

See Identifying Legacy TLS Connections for more details about how to enable this feature.

This will affect me, what can I do to prepare?

To prevent these errors you need to upgrade the software you are using to a version that has TLSv1.2 support.

For continued Toolkit support, you should upgrade your Toolkit core to a version newer than v0.18.0. As always, we recommend upgrading to the latest release of tk-core.

FAQ

More secure sounds good, can I switch over early?

Yes. Get in touch with us at support@shotgunsoftware.com and we can coordinate that change.

I use Single-Sign-On (SSO). Is there anything special I need to know?

Yes, that above testing instructions will not work for you. You will need to contact support@shotgunsoftware.com in order to get a site on which you will be allowed to test

Why are you doing this?

Shotgun has been allowing HTTPS connections via older TLS protocols that have known vulnerabilities and are no longer secure enough given modern standards. We have been maintaining this support for backward compatibility with many of the older operating systems and content creation tools that we know our clients use. As part of our push to make Shotgun as secure as possible and to meet Autodesk security requirements we can no longer maintain that support and will therefore deprecate our support for TLSv1.0 and TLSv1.1.

On the same date we will also be deprecating our support for Toolkit cores older than v0.18.0. This deprecation allows us to upgrade our app store for greater security and reliability.

 

What kind of errors should I expect?

If a connection is rejected due to TLS not meeting the minimum protocol requirement, the server will respond with a ResponseNotReady error, which will result in a stack trace like this in the Python API:

File "shotgun.py", line 621, in __init__
self.server_caps
File "shotgun.py", line 668, in server_caps
self.info())
File "shotgun.py", line 706, in info
return self._call_rpc("info", None, include_auth_params=False)
File "shotgun.py", line 3156, in _call_rpc
self.config.api_path, encoded_payload, req_headers)
File "shotgun.py", line 3297, in _make_call
return self._http_request(verb, path, body, req_headers)
File "shotgun.py", line 3348, in _http_request
headers=headers)
File "lib/httplib2/__init__.py", line 1608, in request
(response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File "/lib/httplib2/__init__.py", line 1350, in _request
(response, content) = self._conn_request(conn, request_uri, method, body, headers)
File "lib/httplib2/__init__.py", line 1306, in _conn_request
response = conn.getresponse()
File "lib/python2.7/httplib.py", line 1123, in getresponse
raise ResponseNotReady()

I whitelist IP address that hosts at my studio are allowed to connect to. Will this affect me?

No, Shotgun IPs won’t change. If you restrict access using IP whitelists at your studio, no change is required. See our documentation on Shotgun's network architecture for a refresh on Shotgun set of IP addresses.

What about browsers?

Browsers have supported TLSv1.2 for a long time now. Browsers will not be affected by this change, but software that uses Shotgun's APIs may be.

I have a local install. Will this affect me?

The TLS change will not affect you, but the minimum supported Toolkit core will if you are on an old Toolkit core. The TLS requirement is a change to our network infrastructure, not a change to the Shotgun application.

Content Creation Tools TLSv1.2 Support Matrix

Key Yes TLSv1.2 supported
Update Needed TLSv1.2 supported with a patch or upgrade
No TLSv1.2 not supported
N/A Not tested or does not exist 

 

Application Version Windows Linux Mac Notes
Maya   2019+  Yes  Yes  Yes   
2018.5  Yes  Yes  Yes
2018  Yes  Yes  No
2017.6  Yes  Yes   Yes 
2017  Yes  Yes  No
2016  No  Yes  No
3dsMax   2018+  Yes  N/A  N/A  
2017  Yes  N/A  N/A
2016  Yes  N/A  N/A
RV   7.3.x+  Yes  Yes  Yes RV 7.3.0 supports TLS 1.2 and was released on Dec. 4th, 2018.
7.2.x  Yes  Yes  No
7.1.x  Yes  Yes  No
7.0.x  Yes   Yes  No
Nuke / Nuke Studio   11.1v2+  Yes  Yes  Yes  
11.0v1   Yes  Yes  No
10.x   No  No  No
Houdini   16.x+  Yes  Yes  Yes  
15.x   Yes  Yes  Yes
14.x   Yes  Yes  Yes
Photoshop  2018+  Yes  N/A  Yes Shotgun Desktop v1.5.3 (running python 2.7.14) required.
2017   Yes  N/A  Yes
2015.5   Yes  N/A  Yes
Flame 2019.x+  N/A  Yes  Yes  Official Flame announcement available here.
2018.x   N/A  Yes  Update Needed
2017.x   N/A  Yes  Update Needed
Motion Builder 2019+  Yes  Yes  N/A  
2018.0.1  Yes  Yes  N/A
2018  No   Yes  N/A
2017   No  Yes  N/A
2016   No  Yes  N/A
Mari 4.x+  Yes  Yes  N/A  4.x not released for Mac.
3.x   No  No  No
2.x   No  No  No
Shotgun Desktop  v1.5.3+  Yes  Yes  Yes

This is a manual upgrade where you must re-download and re-install Shotgun Desktop.

< v1.5.3 works for Linux with the Fedora release, but not CentOS.

< v1.5.3  No  Yes*  No
Python 2.7.10+  Yes  Yes*  Yes*

For linux and OSX the OS version matters.

OSX supports TLSv1.2 from 10.12 (Sierra) onward.

Linux flavors with OpenSSL v1.0.1 or later support TLSv1.2.

For more information about this or to ask questions, please send us an email at support@shotgunsoftware.com 

Follow