We have received the following email from Heroku. We have a django backend in heroku with a lot of request from browsers and other system.
As Heroku says, we think we will not have any problem with browsers because even old browsers are compatible with TLS 1.2: https://caniuse.com/tls1-2
But, we don't know if other systems are connecting with our system with TLS 1.0 or TLS 1.1.
Can we detect it from our code? Something like this?
if request.getProtocolTLS() in ["TLS1.0", "TLS1.1"]:
send_admin_mail('Alert old protocol of TLS', request.user, request.get_full_path())
UPDATE with real data of our application:
Cloud: Heroku
Framework: Django 1.11.11
Python version: 3.6
WSGI HTTP Server: gunicorn
Procfile:
web: python manage.py collectstatic --noinput ; gunicorn joinupback.wsgi --log-file - --max-requests 6700 --max-requests-jitter 20
Dear Heroku Customer,
At Salesforce, our top priority is providing you with a trusted Heroku platform, and today we begin our migration off of older, less secure TLS versions with a plan to completely block TLS v1.0/v1.1 next year after July 31, 2021. While this restriction is generally not a problem for web browser clients, some old, non-browser clients may be affected. This notice gives you one full year to make whatever changes are necessary to ensure all clients use TLS v1.2, or greater (v1.2+).
Heroku currently supports TLS v1.0/v1.1, as well as the latest, more secure TLS v1.2+ protocol on all apps. In April 2016, the PCI Council released version 3.1 of their Data Security Standard (DSS). Among the many changes and recommendations was that SSL and TLS v1.0 can no longer be used. Today's recommendation is to use TLS v1.2+, not just for PCI compliance, but as a general best practice for encryption of data in transit on the internet.
Today, Heroku begins implementing these recommendations to transition all apps to TLS v1.2+, so that we can End of Life TLS v1.0/v1.1 next year.
What do I need to do? There is nothing you need to do for this change to take affect. Everything will happen automatically, without any action by you. However, if there are clients that access your app using TLS v1.0/1.1, they will need to be updated by July 31, 2021.
What do I need to know? We recently changed the ciphers used on all new Heroku apps deployed in Private Spaces to support only TLS v1.2+. Existing apps already running in a Private Space remain unchanged, using the previous default cipher suite.
Later this year, we will make a similar change to the default ciphers for all new Heroku apps.
If you run your apps in a Private Space, you may wish to change their cipher suite to TLS v1.2+ only so that they will be unaffected when we will block TLS v1.0/v1.1 traffic. Details on how to do this are in the Routing in Private Spaces Dev Center article (“SSL Security” section).
When we change the default cipher suite for Common Runtime apps (i.e. apps not in Private Spaces), we will also provide instructions for you to change the cipher suite for these existing apps as well.
Beginning on June 1, 2021, we will begin migration all apps to the new cipher suites and block TLS v1.0/v1.1 completing this migration by July 31, 2021.
After July 31, 2021, clients that access Heroku apps using TLS v1.0/v1.0 will be blocked. It is important that you take the necessary steps before then to ensure that your apps remain accessible to all your clients.
Sincerely, Heroku
SSLSocket.cipher()in docs.python.org/3.8/library/ssl.html to get the information orget_cipher_version()in pyopenssl.org/en/stable/api/ssl.html, depending on what library you use. But at this stage 1) it is not necessary to quote all the email and 2) you are not giving any real data about your application and the part of the code doing the TLS handshake and hence how to change it to reach your goal on detecting the TLS version. – Patrick Mevzek