Reminder: The Dropbox API will no longer accept TLS 1.0 or 1.1

Hi Dropbox,

We are currently using the following version in the Android apps. 

implementation 'com.dropbox.core:dropbox-core-sdk:2.1.1'

We will update to the required version. But development, testing and user update will take much more than 1 month left. We ask Dropbox to give us more time to comply.

Thanks for the consideration.

I received an e-mail from Dropbox warning that "your app(s) TuneLab Tuning Files have recently made calls to the Dropbox API using a deprecated TLS protocol version."  I thought we had updated both our iOS and Android versions over a year ago.  I suppose it is possible that some users of our apps have not updated in all that time, but I would like to know if there is any test I could run to see whether or not the latest versions of my apps are using the deprecated protocol.  My inspection of the Android code shows the external library of com.dropbox.core:dropbox-core-sdk:3.1.5, which should be OK.  And the iOS code uses cocopods and references ObjectiveDropboxOfficial and a README.MD that says "The Official Dropbox Objective-C SDK for integrating with Dropbox [API v2] " which should be OK too.  The source files are dated 11/3/2020.  So that should be OK too.  But I don't trust this as proof that my apps are not using the deprecated protocol.  So how can I run a test to know for sure?  Is there a way I can simulate April 13th now?  Or monitor traffic?  The e-mail I got from Dropbox has got me worried.

I would second that request of a simple test for peace of mind.

I also got that email, but my apps have should have been using compliant versions of the SDK for many years...

Eric Z.6 Thanks for sharing this feedback. At this time I am unfortunately not able to offer extensions for this change, but I’m sending this feedback along to the team.

For reference, we did send earlier advance notices about this change by email last year, but it sounds like those did not make it to you. For instance, perhaps they were caught by a spam filter. Please make sure that the email address on the account that owns your API app(s) is correct and can receive email. Additionally, make sure you haven't unsubscribed from "API announcements".

Robert S.138 Mark R.5 If you’ve already updated your app, this traffic may be coming from users still on an old version of your app. You may want to notify your users to update to the latest version of the app. We don't have a way to simulate the change, but I'll pass this along as a feature request. I can't promise if or when that might be implemented though. If you'd like additional help verifying this, feel free to open an API ticket from the account that owns the app(s) in question and we may be able to offer some help.

Hi Dropbox,

We have received the mail regarding to this issue, stating that:

"We’re reaching out because your app(s) ... have recently made calls to the Dropbox API using a deprecated TLS protocol version."

We would like to confirm the following:

1. Does that mean our app did make calls using a deprecated TLS protocol version so that we received this mail? Or, is this just a notification regardless of whether our app communicates with deprecated TLS protocol version?

By testing with our app, it seems that the latest version of our app uses the TLS 1.2 and 1.3 protocol version. If receiving this mail is a proof of using deprected TLS protocol version by our app, then the only possible reason may originate from some of our customers who still uses older version of our app, which may be kind of wierd. Also, do you have any recommended way to test on which TLS version our app is really using?

2. We are using the curl library to send API to dropbox with the setting of CURL_SSLVERSION_TLSv1. Under this setting, although it seems that we will use the TLS 1.2 or 1.3 (depending on the version of curl library), in case we may still send with TLS 1.0/1.1, we would like to know after the deprecation of TLS 1.0/1.1 on April 13, will the request be fallback to use TLS 1.2 or 1.3 automatically?  Also, is there any approach to test this situation?

Look forward to your reply, thank you!

Can you at least confirm that the following is sufficient for avoiding the deprecated protocols:

In the Android version of our app, the build.gradle file under the app folder contains:

dependencies {
   . . . .
   implementation 'com.dropbox.core:dropbox-core-sdk:3.1.5'

   . . . .
}

and in the iOS version of our app, all the files in all the subdirectories of:

   Pods/ObjectiveDropboxOfficial

have a file date of 11/3/2020.

If it is not sufficient, tell me what else I could check.

DreamingDev 1. If you received that email it means your app sent some amount of TLS 1.0 or 1.1 traffic to the Dropbox API recently. If you’ve already updated your app, this traffic is likely coming from users still on an old version of your app. We don't have a way to simulate the change, but I'll pass this along as a feature request. I can't promise if or when that might be implemented though. 

2. I can't provide support for specific third party network clients as they're not made by Dropbox, but in general yes, network clients should automatically use the best available and compatible protocol version. As above, I can't offer a way to test this ahead of time, but you may be able to enable some logging on your network client to check the protocol version being used.

Robert S.138 Yes, Java SDK v3.1.5 is sufficient. And likewise a version of the Objective-C SDK from late 2020 would also be sufficient.

Hi Greg. It would be good to clarify the exact versions involved here for various SDKs. Just to recap what the original email sent out in Aug 2021 said:

1) SDKs over two years old may need updating (so I presume from Aug 2019 and earlier).

2) The Java and Python SDKs have specific versions that need updating to

Based on that I had no concerns since I was not using an SDK that old, and was not using either of the SDKs mentioned. So I am a little surprised to see you mention that the Obj-C SDK may need updating to late 2020, since this is obviously later than 2019, and the SDK was not mentioned in the original email. Could you please clarify what is the exact minimum version number of the SDK required to update to for the following versions of the SDK:

1) Objective-C

2) .NET

Many thanks.