How do I disable support for TLS 1.0?

Issue

Heroku SSL Endpoint addons use the default Amazon ELB policy that is applicable at the time the SSL Endpoint addon is provisioned.

Currently, this includes some Protocols that fail 3rd Party compliance and security audits.

Resolution

Automated Certificate Management / Free Heroku SSL (SNI)

Unfortunately, we cannot change the available Protocols for applications using Automated Certificate Management or the Free Heroku SSL (SNI). You will have to switch to the SSL Endpoint addon.

SSL Endpoint addon

We can disable any Protocols you want on a per customer/app basis but this does impact the browsers that can connect to your application. Some older browsers would no longer be able to connect to your app, so we'd ask you to perform your own investigation into whether this would impact your sites visitors before making this request.

If you'd like to proceed, you can open a ticket to request disabling TLS 1.0 for your app.

Apps in Private Spaces

By Default, the routing infrastructure for Private Spaces apps support cyphers listed in the Dev Center article Routing in Private Spaces on TLS 1.0, TLS 1.1, and TLS 1.2. Among these TLS 1.0 and TLS_RSA_WITH_3DES_EDE_CBC_SHA on TLS 1.1 and TLS 1.2 can be disabled upon a request. Some older browsers would no longer be able to connect to your app, so we'd ask you to perform your own investigation into whether this would impact your sites visitors before making this request. If you'd like to proceed, please run the following command

heroku labs:enable spaces-strict-tls --app <app-name>