TLS 1.

0 End of Support FAQ &

Troubleshooting Guide
Updated June 2017

Table of Contents
INTRODUCTION ..................................................................................................................................................... 1

OVERVIEW ................................................................................................................................................... 1

FREQUENTLY ASKED QUESTIONS ........................................................................................................................... 2

PULLING A REPORT BY BROWSER .......................................................................................................................... 3

DETERMINING TLS (SSL) VERSION BEING USED BY A WEBSITE ............................................................................... 5

DETERMINING WHICH PROTOCOL(S) IS USED BY YOUR BROWSER ........................................................................ 9

ENFORCING SECURITY PROTOCOL USED BY A BROWSER ....................................................................................... 9

Introduction
Overview
*Originally delayed from April 1 2017*
Starting July 12, 2017, Concur will no longer accept connections to its cloud application that use the TLS
1.0 or SSL 3.0 security encryption protocol. All connections must use TLS 1.1 or higher. This change is
being implemented to close several internet security holes and ensure the Concur platform uses the
latest proven technology to protect client data.

For a vast majority of users and API connections, this change will have absolutely no effect on their
everyday interactions with the Concur application. The latest browser versions and API connections all
support this protocol and will automatically adjust when connecting to the Concursolutions.com
website.

Older browser versions may not support the latest TLS protocol and may need to be reconfigured or
upgraded before a connection will be allowed, most notably Internet Explorer v.7, 8, 9 and 10. IE 7

1
specifically does not offer any support for TLS 1.1 and will need to be upgraded for use with Concur.
Versions 8, 9 and 10 do offer support, but it must be enabled within the browser settings.

Frequently Asked Questions

Q. What is TLS?
A. Transport Layer Security (TLS) is an encryption protocol which is used to encrypt traffic between a
user’s browser and a server. There are currently three versions of TLS running on the internet. TLS 1.0,
1.1 and 1.2.

Q. Why is Concur making this change?

A. Most recently, TLS 1.0 has been called out as having several vulnerabilities. Since this is the case,
many organizations and companies are no longer supporting TLS 1.0 (e.g. PCI, NIST, Google, and
Salesforce).

Q. What happens if a user accesses Concur on or after July 12, 2017?

A. Any user that attempts to access Concur after July 12, 2017 using TLS 1.0 will be redirected to a
landing page describing the problem and steps, if applicable, to take to reconfigure their browser.

Q. What browsers have TLS 1.0, and which do you support?

A. Older browser versions may not support the latest TLS protocol and may need to be reconfigured (see
troubleshooting guide below) or upgraded before a connection will be allowed starting July 12, 2017.
• Internet Explorer (IE) v.7, 8 and 9. Some IE 10 browsers may also use TLS 1.0 and must be
reconfigured to allow a connection. IE 7 specifically does not offer any support for TLS 1.1 and
will need to be upgraded for use with Concur. Versions IE 8, 9 and 10 do offer support, but it
must be enabled within the browser settings.
• Google Chrome versions 21 and below cannot support newer versions of TLS while versions 22 –
37 may need to be configured to support the newer versions. Chrome 38 and above natively
support newer versions of TLS.
• Firefox versions 22 and below cannot support newer versions of TLS while versions 23 – 26 may
need to be configured to support the newer versions. Firefox 27 and above natively support
newer versions of TLS.

Q. What actions should I take as a Concur administrator?

A. Concur administrators who believe their API connections use TLS 1.0 or believe that many of the users
may be on Internet Explorer Versions 6, 7, 8, 9 or 10 should contact their IT department right away to
ask them to verify that their organization does not have significant users on TLS 1.0.

Q. What if I think my API connection to Concur is broken?

A. First contact your application developer. Afterward, please open a support case with Concur which
includes important information such as the IP address your application is connecting from, the API
endpoint which you are connecting to, and the times (including time zone) that your application
attempted to connect to Concur. We will review the details of the case and work with you to help you
as you transition off of using TLS 1.0.

2
Q. Which Concur products are affected?
A. All products.

Q. If TLS 1.0 is outdated, is my data secure today?

A. Yes. Customer data is secure as Concur does not use TLS ciphers with known vulnerabilities.

Q. How are we communicating?

A. Concur has been communicating via the Release Notes since the July release to alert customer
administrators. Starting July 12, 2017, Concur users who access Concursolutions.com using TLS 1.0 will
be redirected to a landing page describing the problem and steps to take to reconfigure their browser.

Q. How many users are on TLS 1.0 today?

A. As of Jan 2017, only 0.6% of connections from Concur users are on browsers with TLS 1.0, a 4.4% drop
since Oct 2016. As of Oct 2016, only 5% of log-ins from Concur users are on browsers with TLS 1.0 – a
1.3% drop since July 2016. A majority of these log-ins are on IE 10 which means that the browser can be
reconfigured to support TLS 1.1 or higher.

Q. Are there special considerations for those who are using .net framework?
A. For those who are using .net Framework, please verify the version you are using to ensure that it is
patched to support TLS 1.1 and TLS 1.2. There have been multiple clients who were using an older
version of .net framework and had to either upgrade their system or patch their current version.

Q. If Concur still supports Internet Explorer 10, why would you redirect users on TLS 1.0?
A. Consider Internet Explorer (browser) and TLS (encryption protocol) as separate steps to access the
internet. While we continue to support Internet Explorer 10 as a browser, we no longer support one of
the ways (TLS 1.0) that the browser connects to our website. Therefore if a user connects to Concur
using TLS 1.0, we will redirect them starting July 12, 2017.

Pulling a report by browser

Users by Browser report is available to all admins working with the Expense, Request, Invoice, and/or
Travel offerings in both the Professional and Standard product editions.

This report allows the admin to select a browser version and then generate a report listing employees
who are using that browser. The list includes first, last, and login names, last login and login count, and
email and IP addresses for identification.

IMPORTANT NOTES BEFORE PULLING THE REPORT:

• Users who are using a newer browser in Compatibility Mode will show up in the report as the
older browser, not the actual current browser. This means your results will include users who
are not affected by this discontinuation.

• Uses on IE version 6, 7 or lower will not be able to connect to www.concursolutions.com after

July 12, 2017.

3
 • Users on IE version 8, 9 and 10 who show up in the browser report may still be able to connect
to www.concursolutions.com as long as their browsers are configured to support TLS 1.1 or
higher (see instructions in later section).

• For purposes of TLS 1.0, using a browser such as IE 11 in Compatibility Mode for an older
browser will not be affected by this discontinuation of support. In other words, users using
Compatibility Mode will still be able to connect to www.concursolutions.com after July 12, 2017.

• Unfortunately, it is not possible to accurately identify which users are actually connecting using
TLS 1.0. This is because the TLS version is only available before the user connects to the web site
and logs in.

 To run the Browser Report:

1. Click Administration > Company > Users by Browser.

2. On the Browser Report page, select a browser under Web Browser.

3. Click Submit.

4
The system returns a list of all users with information about the user, their login name and
status, and additional data to help identify the user(s) working with the selected browser
version.

5
Determining TLS (SSL) version being used by a website

Google Chrome

1. Click on the padlock icon at the left of the address bar to display the connection settings for the
webpage:

2. Select Details

6
3. A developer sidebar will open on the right-hand side of the browser

4. Leaving this sidebar open, reload the page and select https://www.concursolutions.com under
the Main Origin menu item

7
Mozilla Firefox

1. Click on the padlock at the left of the address bar

2. Then click 'more information'

8
Internet Explorer

The padlock is to the right of the address bar, but it won't help. Instead:

1. On a blank space of the page, right-click and select Properties

9
Determining which protocol(s) is used by your browser
All browser versions and support for different TLS protocols are listed here:

https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browsers

You will need to determine your browser version, which is usually under the Help  About menu.

As long as TLS 1.1 or higher is supported in your particular browser version, the discontinuation of TLS
1.0 will have no effect on your connection to the Concur application/platform.

Enforcing security protocol used by a browser

Your browser may be set to accept both older and newer versions of SSL and TLS. For testing and
security reasons, you may want to force your browser to use the latest security protocol. To enforce the
latest version:

Internet Explorer

Although these instructions and screenshots are for Internet Explorer (IE) 10, they will work for other
versions of IE.

1. Open IE.
2. In IE, click the Tools symbol (gear) or select the Tools menu and then click Internet Options.

10
3. In the Internet Options window on the Advanced tab, under Settings, scroll down to the
Security section.

4. In the Security section, locate the Use SSL and Use TLS options and uncheck Use TLS 1.0, Use
SSL 3.0 and Use SSL 2.0.

11
 5. If they are not already selected, check Use TLS 1.1 and Use TLS 1.2.
6. Next, click Apply and then, click OK.

You have successfully disabled the SSL 3.0 (TLS 1.0) protocol in your IE browser.

Firefox

Although these instructions and screenshots are for Mozilla Firefox 31, they will work for other versions
of Firefox.

1. Open Firefox.
2. In the Location Bar, enter about:config and click the Go to the address in the Location Bar
symbol (arrow).

3. When you receive the “This might void your warranty” message, click I’ll be careful, I promise!.

12
4. On the about:config page, in the Search box, enter tls and wait for the list to populate.

5. Next, in the list, double-click security.tls.version.min.

6. In the Enter integer value window, in the security.tls.version.min box, type 2 to make TLS 1.1
the minimum required protocol version, and then click OK.

You have successfully disabled the SSL 3.0 (TLS 1.0) protocol in your Firefox browser.

13
Chrome

These instructions and screenshots are for Google Chrome 50 but will work for more recent versions of
Chrome.

Chrome does not have specific options to disable/enable a particular encryption protocol so using
command-line controls is the only option:

1. Right-click on your desktop and select “New”, then “Shortcut”.

2. In the “Create Shortcut” panel, browse to the location of your Chrome installation and
select the Chrome icon – the default location is:

“C:Program Files (x86)GoogleChromeApplicationchrome.exe”

14
 3. Add the following command line switch –ssl-version-min=tls1.1 after the item location
(i.e., after the ending quote) to appear thus:

“C:Program Files (x86)GoogleChromeApplicationchrome.exe” –ssl-version-min=tls1.1

Make sure and separate the switch from the location with a space.

15
4. Name the shortcut (SSL.com suggests giving it a unique name which will remind you that
this shortcut is secure) and click “Finish”.

5. Running Chrome from this shortcut will force the TLS 1.1 protocol in your Chrome
browser.

16