Background:  Salesforce recently announced that they will be deprecating the use of TLS 1.0 encryption for ingoing and outgoing calls from Salesforce.  See more details here. For the time being, this is an optional change that you can choose to make in your LCRM.  Salesforce will implement this change for all production sites on March 4, 2017.  Until that day, you can choose to disable or enable TLS 1.0 at any time.

What this means for LCRM:  If you choose to disable TLS 1.0 in their organization, then LCRM will no longer be able to send messages to the Service Bus, and the Service Bus will not be able to send messages to LCRM.  This will continue to be the case until we can update the Service Bus to handle TLS 1.1 encryption.  At this point, we do not have a target date or a timeframe for this update, but we are working on an update to the Service Bus with the March 4, 2017 cutoff date in mind.

What you will see if TLS 1.0 is disabled:  If you choose to disable TLS 1.0 in their org, there will likely be multiple symptoms:
  • In Queue Problem Management, you will start seeing errors with the following message, or something similar:  “UNSUPPORTED_CLIENT: TLS 1.0 has been disabled in this organization. Please use TLS 1.1 or higher when connecting to Salesforce using https”.  This error could happen for any object that is synced across the bus.
  • In Salesforce, if you navigate to Setup -> Monitoring -> Outbound Messages, you will likely see outbound messages starting to stack up.  These messages will try to contact the bus every so often, but after 24 hours, the messages will expire and will be lost.
How to fix the situation in the short-term:  
  1. From Setup, enter Critical Updates in the Quick Find box, then select Critical Updates
  2. Find the update called "Require TLS 1.1 or higher for HTTPS connections" and click Deactivate
  3. Enter a comment on the next page, then click Deactivate
  4. Rebuild the related errors in your QPM