Insecure HTTPS and Old Toolkit Core Deprecation - January 23rd, 2019

Overview

You use HTTPS to connect to Shotgun securely and HTTPS uses the TLS protocol to encrypt its connections. Older implementations of TLS (v1.0 and v1.1) have known vulnerabilities that make them no longer secure enough given modern standards. Shotgun's support for these older TLS implementations is being discontinued on January 23rd, 2019. On the same date support for Toolkit cores older than v0.18.0 will be discontinued.

If you have tools that talk to Shotgun from software that does not support the latest version of TLS (v1.2) those tools will stop working.

Does this affect me?

Admins on hosted sites that we know are currently using TLSv1.0 or TLSv1.1 to connect to Shotgun have already been contacted via an in-app banner. If your admin was contacted via a banner, there is some software talking to your site that will stop working. Lack of a banner however is not a guarantee that your scripts will keep working. For commonly used software you can see the TLSv1.2 support matrix below to see if the versions you use will have issues.

The flowchart below outlines the process you can use to figure out how this change will impact you.

TLS_Diagram.png

How can I test out the change?

We have setup an alternate URL you can use to connect to your Shotgun site. If you append "-tls" to your site name (e.g. mysite-tls.shotgunstudio.com) you will connect to your Shotgun site via a route that already has TLSv1.2 required. You can use this alternate URL to test the environments in your studio to verify that they will continue to work after this deprecation.

You can use the following snippet to test a Shotgun connection from a Python interpreter:

api_path = "" # CHANGE THIS TO A DIRECTORY WHERE THE SHOTGUN PYTHON API IS INSTALLED
site = "" # CHANGE THIS TO YOUR SITE URL WITH "-tls" APPENDED
script = "" # CHANGE THIS TO A SCRIPT NAME ACTIVE ON YOUR SITE
key = "" # CHANGE THIS TO THE KEY FOR THE SCRIPT NAME ABOVE

import sys
sys.path.append(api_path)
import shotgun_api3

sg = shotgun_api3.Shotgun(site, script, key)
print sg.find("Project", [])

  If the above code raises an exception then the software it is run in does not support TLSv1.2.

This will affect me, what can I do to prepare?

To prevent these errors you need to upgrade the software you are using to a version that has TLSv1.2 support.

If it is impossible to upgrade your applications, it is possible to implement a gateway and route connections to Shotgun through it. If that gateway allows TLSv1.0 and TLSv1.1 but talks to Shotgun via TLSv1.2, then it can act as a proxy and allow your existing environments to keep working. Instructions on how to setup such a gateway are available here.

For continued Toolkit support, you should upgrade your Toolkit core to a version newer than v0.18.0. As always, we recommend upgrading to the latest release of tk-core.

FAQ

More secure sounds good, can I switch over early?

Yes. Get in touch with us at support@shotgunsoftware.com and we can coordinate that change.

I use Single-Sign-On (SSO). Is there anything special I need to know?

Yes, that above testing instructions will not work for you. You will need to contact support@shotgunsoftware.com in order to get a site on which you will be allowed to test

Why are you doing this?

Shotgun has been allowing HTTPS connections via older TLS protocols that have known vulnerabilities and are no longer secure enough given modern standards. We have been maintaining this support for backward compatibility with many of the older operating systems and content creation tools that we know our clients use. As part of our push to make Shotgun as secure as possible and to meet Autodesk security requirements we can no longer maintain that support and will therefore deprecate our support for TLSv1.0 and TLSv1.1.

On the same date we will also be deprecating our support for Toolkit cores older than v0.18.0. This deprecation allows us to upgrade our app store for greater security and reliability.

How can I tell what environments will break?

If your admin(s) were contacted via an in-app banner, then there is some use of TLSv1.0 or TLSv1.1 amongst your users. Every site will be accessible via a new url with "-tls" appended to it (e.g. mysite-tls.shotgunstudio.com), when using this URL TLSv1.2 only will be allowed.

I whitelist IP address that hosts at my studio are allowed to connect to. Will this affect me?

No, Shotgun IPs won’t change. If you restrict access using IP whitelists at your studio, no change is required. See our documentation on Shotgun's network architecture for a refresh on Shotgun set of IP addresses.

What about browsers?

Browsers have supported TLSv1.2 for a long time now. Browsers will not be affected by this change, but software that uses Shotgun's APIs may be.

I have a local install. Will this affect me?

The TLS change will not affect you, but the minimum supported Toolkit core will if you are on an old Toolkit core. The TLS requirement is a change to our network infrastructure, not a change to the Shotgun application.

Content Creation Tools TLSv1.2 Support Matrix

Key Yes TLSv1.2 supported
Update Needed TLSv1.2 supported with a patch or upgrade
No TLSv1.2 not supported
N/A Not tested or does not exist 

 

Application Version Windows Linux Mac Notes
Maya   2018.5+  Yes  Yes  Yes  
2018  Yes  Yes  No
2017  Yes  Yes  No
2016  No  Yes  No
3dsMax   2018+  Yes  N/A  N/A  
2017  Yes  N/A  N/A
2016  Yes  N/A  N/A
RV   7.3.x+  Yes  Yes  Yes RV 7.3.0 supports TLS 1.2 and was released on Dec. 4th, 2018.
7.2.x  Yes  Yes  No
7.1.x  Yes  Yes  No
7.0.x  Yes   Yes  No
Nuke / Nuke Studio   11.1v2+  Yes  Yes  Yes  
11.0v1   Yes  Yes  No
10.x   No  No  No
Houdini   16.x+  Yes  Yes  Yes  
15.x   Yes  Yes  Yes
14.x   Yes  Yes  Yes
Photoshop  2018+  Yes  N/A  Yes Shotgun Desktop v1.5.3 (running python 2.7.14) required.
2017   Yes  N/A  Yes
2015.5   Yes  N/A  Yes
Flame 2019.x+  N/A  Yes  Yes  Official Flame announcement available here.
2018.x   N/A  Yes  Update Needed
2017.x   N/A  Yes  Update Needed
Motion Builder 2018   No  Yes  N/A This does not yet reflect any planned releases before Jan 23rd.
2017   No  Yes  N/A
2016   No  Yes  N/A
Mari 4.x+  Yes  Yes  N/A  4.x not released for Mac.
3.x   No  No  No
2.x   No  No  No
Shotgun Desktop  v1.5.3+  Yes  Yes  Yes

This is a manual upgrade where you must re-download and re-install Shotgun Desktop.

< v1.5.3 works for Linux with the Fedora release, but not CentOS.

< v1.5.3  No  Yes*  No
Python 2.7.10+  Yes  Yes  Yes  

For more information about this or to ask questions, please send us an email at support@shotgunsoftware.com 

Follow