Skip navigation
All Places > Developer > Blog > 2019 > July
2019

Sugar Summer '19 release is officially live! There's a huge buzz around our offices for this release - it's very exciting! Summer '19 introduces brand new Sugar products as well as many enhancements for existing Sugar Professional and Sugar Enterprise customers.

 

We recently held a webinar with an overview of what is in the Summer '19 release. If you missed it, watch the recording here or view the slides from this post. Note: Sugar 9.1 (Summer '19) is a cloud-only Sugar release. On-premise customers must wait until Sugar 10.0 (Spring '20) to obtain the feature enhancements provided in this release.

 

Here's the TL;DR for those of you looking for a quick list:

 

  • SugarIdentity service is out of beta. SugarIdentity is a set of user authentication and access management microservices that will improve how we manage Sugar cloud users today. It offers improved OAuth 2.0 support, leverages OpenID Connect, and supports SAML Web Single Sign On (SSO) with the MS Outlook Plug-In. Read more about SugarIdentity in our post called What you need to know about the new SugarIdentity service! All new SugarCloud customers in the Americas, including those customers of our new Sugar Sell and Sugar Serve products, are using SugarIdentity today.
  • Sugar products now support TLS encryption for LDAP single sign-on.
  • A new field on user records, License Type, has been added to allow administrators to grant each user access to one or more products including SugarCRM's newest offerings, Sugar Sell and Sugar Serve.
  • NEW PRODUCTS!! We are very excited to announce 3 new products:
    • Sugar Market is a rebranding of Sugar's recently-acquired marketing automation solution, SalesFusion.
    • Sugar Sell is our award-wining sales automation solution.
    • Sugar Serve is Sugar's new customer engagement center solution.
  • The new SugarCloud Insights page allows administrators to easily monitor their instance's database and file system storage usage, license usage, as well as gain access to PHP error logs and access logs.
  • Shareable dashboards now include custom user-created filters.
  • Tile View : For cases, tasks, and opportunities, a new view has been added that displays records as tiles in a familiar interactive, drag-and-drop interface.
  • Bug and Case bean classes now extend \Issue instead of \Basic class.
  • A new direction field has been added to the Emails module. The possible values are inbound, outbound, internal, unknown.

 

For details on everything in this release, check out our other Summer '19 resources:

We intend to disable support for TLS v1.1 and older in the SugarCloud on November 8, 2019. This action is consistent with the rest of the industry. It may impact some Sugar integrations that connect to the SugarCloud. If you are hosting Sugar on-site, you should consider taking similar steps to disable TLS v1.1 and earlier on your web servers.

 

Read on to learn more.

TLS/SSL Vulnerabilities

The SSL (“Secure Sockets Layer”) protocol was initially invented by Netscape back in the mid-1990s as a method for securing communications over a computer network. This protocol provides the “S” in HTTPS which is used to secure all HTTP traffic to Sugar web servers. As you might expect with 25 year old security technology, there’s been quite a few revisions and improvements to the original concept over time. In fact, SSL v3.0 came out in 1996 which was only a couple years after SSL itself was first invented. SSL was later succeeded by TLS (“Transport Layer Security”) which itself has seen several iterations.

 

Protocol

Published

Status

SSL 1.0

Unpublished

Unpublished

SSL 2.0

1995

Deprecated in 2011 (RFC 6176)

SSL 3.0

1996

Deprecated in 2015 (RFC 7568)

TLS 1.0

1999

Deprecation planned in 2020

TLS 1.1

2006

Deprecation planned in 2020

TLS 1.2

2008

TLS 1.3

2018

Courtesy of Wikipedia

 

With most technology, the penalty for not adopting the latest and greatest is mostly FOMO (“fear of missing out”). But cryptographic protocols are used for target practice by white and black hat wearing security researchers the world over. This means that using out of date cryptographic protocol compounds FOMO with FOLE (“fear of losing everything”).

 

The value of a TLS/SSL protocol is inversely proportional to the number of holes that have been punched into it. Some of these holes are exploits that go by the name of POODLE and BEAST. At the same time, the industry has been continuously adding better and stronger encryption protocols in response.

 

The industry is dropping support of old TLS versions

SSL is REALLY old, so hopefully nobody is still using this. However, there is still plenty of code out there using older versions of TLS. The PCI Data Security Standard requires all connections to use TLS v1.1 or higher while strongly recommending TLS v1.2 or higher. Even the browser vendors who are loathe to drop features that could impact website compatibility (and market share) have agreed to drop support for TLS v1.0 and v1.1 in 2020.

 

As a result, we are considering the right time to disable support for TLS v1.1 and older for connections to the SugarCloud. This may impact some Sugar integrations that connect to the SugarCloud as we look to stay in step with the rest of the industry.

 

Make sure your REST API integrations are using TLS v1.2+

If you are using a modern web browser, then it is unlikely that you will run into any problems connecting to Sugar instances. However, some REST API integrations that are using old client libraries or runtimes are liable to use these older protocols. Basically, if you are running 10+ year old software in your integration then you will likely have some of these problems below.

 

In particular, please take extra care if you are using any of the following technology with your Sugar integration.

 

Client

Preferred Runtime

Apache HttpComponents

Use latest Java 8 or greater

RestSharp

Use latest .NET 4.7 or greater

cURL and OpenSSL (PHP)

Use OpenSSL 1.0.x or greater (PHP 7.1 or greater)

 

If you aren’t sure, you can use a network analyzer to verify the version of TLS that is in use. For example, you can use tcpdump or Wireshark.

 

Take the following steps if you believe your integration is affected.

  • If applicable, upgrade to newer runtime environments for your integrations
    • Ex. Upgrade to Java 8 or newer or to .NET 4.6 or newer
  • Upgrade to latest HTTP client library versions
    • Ex. HttpComponents v4.4.11+ is compatible with TLS v1.3 implementation found in Java 11
  • Configure your HTTP clients to require use of TLS v1.2

How to disable TLS v1.1 and earlier for Sugar on-site installations

You will typically configure the web server with the versions of TLS/SSL that will be allowed by your Sugar instance.

 

For Apache, the allowed versions of TLS can be configured using mod_ssl’s SSLProtocol directive

 

For IIS, the allowed versions of TLS can be configured using TLS Registry Settings.

 

Connections using TLS v1.1 or earlier will break

Only 6% of web traffic in SugarCloud is using an out of date version of TLS. So we are moving aggressively to ensure SugarCloud will only support TLS v1.2+ in the future. 

 

 

New Support for TLS versions 1.1 and older in SugarCloud will be disabled on November 8, 2019.

Hello Sugar Developers!

 

We often get questions about building code customizations for SugarCloud. Even experienced developers who have developed customizations for on-site Sugar installations do not know what is possible in SugarCloud. In short, Sugar Cloud does support custom code though there are some rules that need to be followed. We will dig into how write code customizations for SugarCloud in this webinar.

 

What we will be covering:

We will demonstrate by example (with the help of Professor M) the following topics:

  • Accessing SugarCloud Developer Builds
  • How to configure local dev environment to be similar to SugarCloud
  • Methods for managing and deploying custom code in SugarCloud
  • How to debug problems in a Cloud instance
  • Important rules to keep in mind

 

Webinar Information:

Join us for the live webinar:

Tuesday, July 16th 7:00 - 8:00 AM PT

Register Now!

 

Can’t make it? Don’t worry! We will be posting the webinar recording to this community for those who are unable to attend the live session.