Greenhouse will be deactivating support for TLS v1.0 across our public facing applications. We are providing you advanced notice so that our customers and partners can prepare accordingly. If you are using unsupported clients to connect to Greenhouse after deactivating TLS v1.0, you will begin receiving connection error messages.

Screen_Shot_2018-05-22_at_3.49.18_PM.png

 

Why are we deactivating TLS v1.0?

We are deactivating TLS v1.0 to ensure that Greenhouse software is providing our customers and partners with the safe and secure protocols for our connections. This change is enforced throughout the industry to maintain secure connections that encrypt and protect your sensitive data from malicious breaches. The PCI Security Standards Council updated their guidance and will now require full deprecation of TLS 1.0 on June 30th, 2018 for applications that process payments. Although, we only support payments on the Recruiting application, we will be following the recommendation across all our inbound connections.

 

Am I affected?

Greenhouse has done some initial analysis and the deactivating of TLS v1.0 should only affect < 1% of our total traffic. There are two major categories of user’s that could be affected by the deprecation of TLS v1.0:

 

1. Customers and end-users using browsers or mobile applications

This includes customers using unsupported browsers to access the Greenhouse Recruiting and Onboarding applications as well as job applicants accessing job boards hosted by Greenhouse.

Supported Browsers

You can use the following website to easily determine if your browser supports a version of TLS > v1.0.

https://www.ssllabs.com/ssltest/viewMyClient.html

Browser Version Notes
Android 5.0 (Lollipop) and up Supported by default
Android 4.4 (KitKat) to 4.4.4

Some devices are supported

Go to https://www.ssllabs.com/ssltest/viewMyClient.html from your device browser to determine compatibility.

Chrome 38 and up Supported by default
Chrome 22-27 Supported when running on Windows XP SP3, Vista, or newer, OS X 10.6 (Snow Leopard) or newer, or Android 2.3 (Gingerbread) or newer.
Firefox 27 and up Supported by default
Firefox 23-26 Supported only after configuration: Browser to about:config and update ‘security.tls.version.max’ to 2
Internet Explorer 11 (Desktop and mobile) Supported by default
Microsoft Edge Supported by default
Safari 7 and up on OS X 10.9 (Mavericks) and up Supported by default
Mobile Safari 5 and up for iOS 5 and up Supported by default

 

2. Customers using HTTP clients to connect to our Harvest and Job Boards API 

Customers that have custom clients and are using clients that do not support TLS v1.1 and above will no longer be able to successfully connect to our Harvest and Job Boards API.

Customer should ensure that they are using a support client or else it will lead to downtime of any internal processes that utilize the Harvest API or any Job boards that are built using our Job Boards API.

Greenhouse will be performing analysis of connections to our Harvest and Job Boards API and performing proactive communications to affected customer to ensure a smooth transition.  We still recommend that our customers do not rely solely on us and each customer that utilizes these APIs should ensure that they are prepared for the deprecation date.

You can use the following API to easily test the library you are using for API connections to Greenhouse to ensure it supports TLS v1.1 or greater.

https://www.howsmyssl.com/a/check

The HTTP response will contain a ‘tls_version’ value which contains the highest version of TLS that is supported by the client.

See below for a list of common clients that may be used as an HTTP client to our API:

 

Clients Notes
OpenSSL 1.0.1 and up

Most HTTP clients available in languages will be using the OpenSSL client to initiate TLS connections

Some versions of Mac OSX are shipped with v0.9.8y and would therefore no longer work. You can upgrade to a newer version of OpenSSL via the Homebrew tool.

brew install openssl

Java version 7u26 and up

TLS 1.1 and 1.2 must be manually enabled

You will need to add the following property -Dhttps.protocols=TLSv1.1,TLSv1.2 which configures the JVM to specify which TLS protocol version should be used during https connections.

Java version 8 and up Supported by default
Python 2.7.9 and up Supported by default
Ruby 2.0.0 and up Supported by default is the underlying OS is running OpenSSL 1.0.1 and up