June 29, 2021 removing inbound TLS 1.0/1.1 support
In accordance with security best practices, we are retiring our remaining support for the TLS 1.0 and 1.1 security protocol. Most customers will not be affected by this change since most software released after 2014 supports TLS 1.2, which we will continue to support. Affected Aha! Roadmaps customers will be able to use an alternate port while updating to TLS 1.2 and will be supported by the Aha! security team.
Click any of the following links to skip ahead:
What is changing?
On July 24, 2021, we will remove support for TLS 1.0 and 1.1 connections to Aha! Roadmaps on the standard TLS port. Most Aha! Roadmaps customers will not notice any change as our supported web browsers are not affected and most integrated systems already support TLS 1.2 connections.
Customers who rely on older software versions, such as Jira 6.x or Windows Server 2008, will need to verify TLS 1.2 support or connect to Aha! Roadmaps using an alternate port which will temporarily continue to support TLS 1.0 and 1.1 connections. This will ensure that updates from your integrations will still be received by Aha! Roadmaps while you complete your update to TLS 1.2.
Note: You should only utilize this alternate port configuration if you are certain that it is required. Most customers do not need to take any action.
On September 18, 2021, we will also remove support for the alternate port and complete our retirement of all TLS 1.0 and 1.1 support in accordance with security best practices. By that time you must use TLS 1.2 to connect to Aha! Roadmaps for all web requests, API requests, and integration traffic.
This change only affects connections from an integrated system to Aha! Roadmaps such as webhooks from on-premises development systems. Connections from Aha! Roadmaps to integrated systems are not changing and will continue to connect as before.
How do I know if I am affected?
The Aha! security team is contacting affected customers whose integrations were active in a traffic analysis performed in June 2021. If you have not received a notification and you believe you may be affected, please review the guidance below and reach out to the Aha! Customer Success team.
All of the following must be true for you to be affected:
Your Aha! Roadmaps account initial signup was before November 2018. Accounts created later are not affected and have never supported TLS 1.0 or 1.1.
You utilize an on-premises integration, API client, or web browser that does not receive regular updates. Newer versions of development software such as Jira 7.0+ or cloud-hosted versions of Jira, Rally, and others are not affected.
The on-premises integration, API client, or web browser does not support outbound TLS 1.2 connections. Please see the Additional Resources section of this article for common scenarios.
What do I need to do?
Most Aha! Roadmaps customers do not need to take any action unless contacted by the Aha! security team. However, if you meet all the criteria above and require continued usage of TLS 1.0 or 1.1 support you should update your systems to continue connecting to Aha! Roadmaps without interruption.
Update Aha! Roadmaps URLs only for affected systems
If you rely on an on-premises integration, API client, or web browser that does not receive regular updates and you meet all of the criteria above, you will need to update the Aha! Roadmaps URL for these systems to utilize an alternate port.
Note: You should only utilize this alternate port configuration if you are certain that it is required. Most customers do not need to take any action.
If you have reviewed the guidance above and are not sure if your system is affected, please reach out to the Aha! Customer Success team with information about the system that is connecting to Aha! Roadmaps that may not support TLS 1.2.
Only the known affected systems should update their Aha! Roadmaps endpoint URLs to include the alternate port. For example, a Jira 6.2 webhook URL should be updated from:
https://company.aha.io/api/v1/webhooks/b8e85ed5f42f15b3112db9adca1b74dce87e4bba64df91ce3ece7cb41ec8f5b0To add :9443 to the host to utilize the alternate port that is temporarily continuing TLS 1.0 and 1.1 support:
https://company.aha.io:9443/api/v1/webhooks/b8e85ed5f42f15b3112db9adca1b74dce87e4bba64df91ce3ece7cb41ec8f5b0Note: This alternate port is provided temporarily and its support will also be removed on September 18, 2021. You should upgrade your systems to support TLS 1.2 as soon as possible and switch back to the standard TLS port to avoid interruptions.
Begin TLS 1.2 upgrades
We will also remove support for the alternate port and complete our retirement of all TLS 1.0 and 1.1 support on September 18, 2021. Systems that require the above alternate port configuration must be updated to support TLS 1.2 connections to Aha! Roadmaps by this time. If you are unable to upgrade software and systems to TLS 1.2 capable versions, you may choose to implement your own TLS 1.2 capable outbound proxy server to facilitate these connections even though Aha! Roadmaps will only support TLS 1.2 connections after this date.
Additional resources for TLS 1.2 support
TLS 1.2 support is common in software released after 2014. Some software only supports TLS 1.2 with additional configuration.
Jira on-premises
Jira version | Java version | Required action |
Atlassian Cloud | N/A | No action required |
7.0+ | 8+ | No action required |
6.3+ | 8 | No action required. Jira instances using Java 8 already support TLS 1.2. |
6.3+ | 7 | Upgrade to Java 8 or ensure Jira uses Java 7 configured to use TLS 1.2 protocol. This configuration is also recommended by Atlassian. If this cannot be completed by July 24, 2021, implement the alternate port workaround described above to temporarily continue to use TLS 1.0/1.1. |
5.2 to 6.2 | 7 | Ensure Jira uses Java 7 configured to use TLS 1.2 protocol. If this cannot be completed by July 24, 2021, implement the alternate port workaround described above to temporarily continue to use TLS 1.0/1.1. |
5.1 or lower | 6 | Upgrade Jira to a supported version with a Java version capable of TLS 1.2. If this cannot be completed by July 24, 2021, implement the alternate port workaround described above to temporarily continue to use TLS 1.0/1.1. |
If you are unable to upgrade to Java 8 or higher, you will need to ensure that the Java 7 environment that is used to run Jira is configured with the runtime flags below as documented by Oracle.
-Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2Azure DevOps (TFS/VSTS)
No action is required for cloud-hosted versions of Azure DevOps. For on-premises versions, ensure that your installation of TFS/VSTS, the underlying .NET version(s), and Windows Server all support the TLS 1.2 protocol. TFS 2015 (.NET 4.6) and above running on Windows Server 2012 and above should not require any changes to utilize TLS 1.2 endpoints.
.NET Framework version(s) used by TFS/VSTS must support TLS 1.2.
Note: .NET Framework versions may require additional registry settings for "SchUseStrongCrypto" . A .NET Framework version table for older TFS versions is available.
Windows Server must also support TLS 1.2.
Note: Windows Server 2008R2 may require additional updates and registry changes to support TLS 1.2.
Other integrations
If you run an on-premises integration not listed above and you are unable to determine whether your integration is able to utilize TLS 1.2 endpoints, please reach out to the Aha! Customer Success team with information about the system that is connecting to Aha! Roadmaps that may not support TLS 1.2.
Note: Cloud integrations such as Rally, GitHub, Slack, Salesforce, Zendesk, and others will not be affected.
Web browsers
Aha! Roadmaps maintains a list of supported web browsers, which are not changing as a result of this TLS change. If you are using an older browser version and are not sure if your browser is supported, you can test your browser. If it says your browser supports TLS 1.2, then you are good to go!
Aha! API
Aha! API callers must support TLS 1.2 connections. If TLS 1.2 support cannot be completed by July 24, 2021, implement the alternate port workaround to temporarily continue to use TLS 1.0 or 1.1.
Upgrade needed:
Windows Server 2008
.NET 3.5 and below
Java 6
OpenSSL 1.0.0 and below
Configuration changes needed:
Windows Server 2008R2
.NET 4.0/4.5
Java 7
No action required for:
Windows Server 2012+
.NET 4.6+
Java 8+
OpenSSL 1.0.1+
Only the known affected systems should update their Aha! Roadmaps endpoint URLs to include the alternate port. For example, a TLS 1.0 API caller would update from:
https://company.aha.io/api/v1/features/APP-1To add :9443 to the host use this alternate port. The alternate port will temporarily support TLS 1.0 and 1.1 while you migrate away from those versions:
https://company.aha.io:9443/api/v1/features/APP-1Outbound proxy
Software and systems that cannot be upgraded to support TLS 1.2 outbound connections could utilize an outbound proxy that is TLS 1.2 capable to make connections to Aha! Roadmaps TLS 1.2 endpoints. For example, a Jira 5.1 server utilizing Java 6 could send all webhooks to Aha! Roadmaps through an on-premises proxy server that you implement that will complete the secure transmission to Aha! Roadmaps using TLS 1.2.
The exact implementation would depend on your network configuration and Aha! cannot make specific recommendations. You would need to work with your network team to implement a proxy if you are unable to upgrade the integrated systems to support TLS 1.2 directly. Please note that connections from Aha! Roadmaps to integrated systems are not changing and will continue to connect as before.
