As noted in previous communications, Veracode will be blocking all web and API connections using TLS 1.0, starting on May 23rd. Many integrations will need to be upgraded to support TLS 1.1 and 1.2.
Custom integrations that connect directly to Veracode’s APIs may need to be updated to connect using TLS 1.1 or 1.2. For example, if you are using cURL from the command line, you can use the flag to force connections using TLS 1.2.
The .NET framework only supports TLS 1.1 and 1.2 in .NET 4.5 and later. As a result, all .NET based integrations will need to be upgraded to support .NET 4.5 and TLS 1.2. Integrations affected include:
- .NET Wrapper/SDK
- TFS Flaw Synchronizer
- TFS XAML Build integration
- Visual Studio add-in and extension
If you are using any of these integrations, you will need to download the latest integration from the Veracode Help Center and upgrade. Additionally, the following systems do not support .NET 4.5 and as such, integrations for these systems will no longer be supported and will have connections blocked starting on May 23rd. Those integrations and version are:
- Visual Studio 2010 addin & extension
- Team Foundation Server (TFS) 2010 Flaw Synchronizer and XAML Build integration
Java 1.7 does not support TLS 1.1 and 1.2 by default. As a result, if you are using an integration with Java 1.7, you will need to upgrade to Java 1.8 or take the following actions:
- Download the Java Cryptographic Extension (JCE) Unlimited Strength Jurisdiction Policy from Oracle and apply to your Java 1.7 JREs.
- Download the latest integration from the Veracode Help Center and upgrade.
The integrations affected are:
- Java Wrapper/SDK
- Eclipse plugin
- IntelliJ plugin
- Jenkins plugin
- JIRA plugin
As supporting TLS 1.1 and 1.2 with Java 1.7 requires both an upgrade of Veracode integrations and a patch of the Java 1.7 JRE, Veracode recommends upgrading to Java 1.8 instead. Integrations running in a Java 1.8 JRE do not need to be upgraded to support TLS 1.1 or 1.2.
No Change to Static Engine
The changes to TLS and Veracode Integrations do not impact the Veracode Static engine. The Static engine will continue to support apps compiled with VS 2003 and later.