Time to Retire SSL 3.0

on December 8, 2014


As a general security precaution, Mendix will be shutting down the legacy SSL 3.0 protocol on our platform and for all Mendix-hosted environments. This will happen on Thursday, December 18th, 2014. We see that less than 0.1% of all requests through our HTTP routing layer still use SSL 3.0; the others use the more secure successor TLS 1.x. Because the usage is so low and TLS support has been generally available for all platforms for a long time, now is the right time to turn off SSL 3.0.

Please note that this does not mean your application traffic is vulnerable to the POODLE exploit released a few weeks ago, as we don’t use any of the vulnerable cipher suites in SSL 3.0.

We have notified Technical Contacts of apps where SSL 3.0 is still used via e-mail. In case you missed that communication, you are advised to turn on TLS and disable SSL in your browsers. To do so, please follow this guide.


About Jouke Waleson

Product Manager and Team Lead of the Mendix Cloud team.

| Community Profile