You use HTTPS to connect to Shotgun securely and HTTPS uses the TLS protocol to encrypt its connections. Older implementations of TLS (v1.0 and v1.1) have known vulnerabilities that make them no longer secure enough given modern standards. Shotgun's support for these older TLS implementations is being discontinued on May 15th, 2019. On the same date support for Toolkit cores older than v0.18.0 will be discontinued.
We will be scheduling a series of "brownouts" where we enforce TLSv1.2 for a limited time on known dates. The schedule of this series will be published shortly.
If you have tools that talk to Shotgun from software that does not support the latest version of TLS (v1.2) those tools will stop working.
Does this affect me?
Admins on hosted sites that we know are currently using TLSv1.0 or TLSv1.1 to connect to Shotgun have already been contacted via an in-app banner. If your admin was contacted via a banner, there is some software talking to your site that will stop working. Lack of a banner however is not a guarantee that your scripts will keep working. For commonly used software you can see the TLSv1.2 support matrix below to see if the versions you use will have issues.
The flowchart below outlines the process you can use to figure out how this change will impact you.
How can I test out the change?
We have setup an alternate URL you can use to test if your tools will be compliant with your Shotgun site, once TLSv1.2 is enforced. If you append "-tls" to your site name (e.g. mysite-tls.shotgunstudio.com) you will connect to your Shotgun site via a route that already has TLSv1.2 required. You can use this alternate URL to test the environments in your studio to verify that they will continue to work after this deprecation, but DO NOT USE THIS END-POINT in production.
You can use the following snippet to test a Shotgun connection from a Python interpreter:
api_path = "" # CHANGE THIS TO A DIRECTORY WHERE THE SHOTGUN PYTHON API IS INSTALLED
site = "" # CHANGE THIS TO YOUR SITE URL WITH "-tls" APPENDED
script = "" # CHANGE THIS TO A SCRIPT NAME ACTIVE ON YOUR SITE
key = "" # CHANGE THIS TO THE KEY FOR THE SCRIPT NAME ABOVE
sg = shotgun_api3.Shotgun(site, script, key)
print sg.find("Project", )
If the above code raises an exception then the software it is run in does not support TLSv1.2.
This will affect me, what can I do to prepare?
To prevent these errors you need to upgrade the software you are using to a version that has TLSv1.2 support.
If it is impossible to upgrade your applications, it is possible to implement a gateway and route connections to Shotgun through it. If that gateway allows TLSv1.0 and TLSv1.1 but talks to Shotgun via TLSv1.2, then it can act as a proxy and allow your existing environments to keep working. Instructions on how to setup such a gateway are available here.
For continued Toolkit support, you should upgrade your Toolkit core to a version newer than v0.18.0. As always, we recommend upgrading to the latest release of tk-core.
More secure sounds good, can I switch over early?
Yes. Get in touch with us at email@example.com and we can coordinate that change.
I use Single-Sign-On (SSO). Is there anything special I need to know?
Yes, that above testing instructions will not work for you. You will need to contact firstname.lastname@example.org in order to get a site on which you will be allowed to test
Why are you doing this?
Shotgun has been allowing HTTPS connections via older TLS protocols that have known vulnerabilities and are no longer secure enough given modern standards. We have been maintaining this support for backward compatibility with many of the older operating systems and content creation tools that we know our clients use. As part of our push to make Shotgun as secure as possible and to meet Autodesk security requirements we can no longer maintain that support and will therefore deprecate our support for TLSv1.0 and TLSv1.1.
On the same date we will also be deprecating our support for Toolkit cores older than v0.18.0. This deprecation allows us to upgrade our app store for greater security and reliability.
How can I tell what environments will break?
If your admin(s) were contacted via an in-app banner, then there is some use of TLSv1.0 or TLSv1.1 amongst your users. Every site will be accessible via a new url with "-tls" appended to it (e.g. mysite-tls.shotgunstudio.com), when using this URL TLSv1.2 only will be allowed.
What kind of errors should I expect?
If a connection is rejected due to TLS not meeting the minimum protocol requirement, the server will respond with a ResponseNotReady error, which will result in a stack trace like this in the Python API:
File "shotgun.py", line 621, in __init__ self.server_caps File "shotgun.py", line 668, in server_caps self.info()) File "shotgun.py", line 706, in info return self._call_rpc("info", None, include_auth_params=False) File "shotgun.py", line 3156, in _call_rpc self.config.api_path, encoded_payload, req_headers) File "shotgun.py", line 3297, in _make_call return self._http_request(verb, path, body, req_headers) File "shotgun.py", line 3348, in _http_request headers=headers) File "lib/httplib2/__init__.py", line 1608, in request (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey) File "/lib/httplib2/__init__.py", line 1350, in _request (response, content) = self._conn_request(conn, request_uri, method, body, headers) File "lib/httplib2/__init__.py", line 1306, in _conn_request response = conn.getresponse() File "lib/python2.7/httplib.py", line 1123, in getresponse raise ResponseNotReady()
I whitelist IP address that hosts at my studio are allowed to connect to. Will this affect me?
No, Shotgun IPs won’t change. If you restrict access using IP whitelists at your studio, no change is required. See our documentation on Shotgun's network architecture for a refresh on Shotgun set of IP addresses.
What about browsers?
Browsers have supported TLSv1.2 for a long time now. Browsers will not be affected by this change, but software that uses Shotgun's APIs may be.
I have a local install. Will this affect me?
The TLS change will not affect you, but the minimum supported Toolkit core will if you are on an old Toolkit core. The TLS requirement is a change to our network infrastructure, not a change to the Shotgun application.
Content Creation Tools TLSv1.2 Support Matrix
|Update Needed||TLSv1.2 supported with a patch or upgrade|
|No||TLSv1.2 not supported|
|N/A||Not tested or does not exist|
|RV||7.3.x+||Yes||Yes||Yes||RV 7.3.0 supports TLS 1.2 and was released on Dec. 4th, 2018.|
|Nuke / Nuke Studio||11.1v2+||Yes||Yes||Yes|
|Photoshop||2018+||Yes||N/A||Yes||Shotgun Desktop v1.5.3 (running python 2.7.14) required.|
|Flame||2019.x+||N/A||Yes||Yes||Official Flame announcement available here.|
|Mari||4.x+||Yes||Yes||N/A||4.x not released for Mac.|
This is a manual upgrade where you must re-download and re-install Shotgun Desktop.
< v1.5.3 works for Linux with the Fedora release, but not CentOS.
For linux and OSX the OS version matters.
OSX supports TLSv1.2 from 10.12 (Sierra) onward.
Linux flavors with OpenSSL v1.0.1 or later support TLSv1.2.
For more information about this or to ask questions, please send us an email at email@example.com