help menu

Join us on the Community Forums!

  • Community Guidelines

    The Fitbit Community is a gathering place for real people who wish to exchange ideas, solutions, tips, techniques, and insight about the Fitbit products and services they love. By joining our Community, you agree to uphold these guidelines, so please take a moment to look them over.

  • Learn the Basics

    Check out our Frequently Asked Questions page for information on Community features, and tips to make the most of your time here.

  • Join the Community!

    Join an existing conversation, or start a new thread to ask your question. Creating your account is completely free, and takes about a minute.

Not finding your answer on the Community Forums?

Cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSLv3 Disabled

‎10-14-2014 12:24

‎10-14-2014 12:24

As a precautionary measure Fitbit has disabled SSLv3 support on the majority of its sites due to reports of a flaw in the protocol. We believe this should only impact Windows XP users with IE6 or systems with custom SSL configurations. This should have no impact for users with TLS capability. We will reevaluate this decision as soon as we know the exact nature of the flaw.

 

Follow this incident at http://status.fitbit.com/incidents/2014-10-14

Best Answer
0 Votes
3 REPLIES 3

‎05-18-2015 16:05

‎05-18-2015 16:05

This is a 30 day notice of an upcoming protocol removal from the Fitbit API.

Currently, the Fitbit Subscriptions API supports HTTPS connections using SSLv3 and TLSv1. Soon, Fitbit will stop supporting SSLv3.

Applications receiving notifications from Fitbit's Subscriptions API must now support TLSv1 on their subscriber endpoints if they use HTTPS. Failure to support TLSv1 will result in your application being unable to receive subscription notifications from the Fitbit Subscriptions API.

Fitbit also will add support for TLSv1.1 and TLSv1.2 in the near future.

Best Answer
0 Votes

‎05-19-2015 08:56

In response to JeremiahFitbit

‎05-19-2015 08:56

Hi,

 

Is fitbit is having any test environment ,where fibit only support TLSV1?, this will helpful us to make sure my service successfully interacting with fitbit using TLSV1.

 

Is Fitbit going to support(from next month) TLSV1 For all APIs also,  along with subscription APIs?

 

Present we are using below subscription apis, going forward do we need to consume below apis via TLSV1 ?

                http://api.fitbit.com/1/user/XX4Z3/activities/apiSubscriptions.

                http://api.fitbit.com/1/user/XX4Z3/sleep/apiSubscriptions.

                http://api.fitbit.com/1/user/XX4Z3/body/apiSubscriptions.

 

Regards

vizaya kumar

 

Best Answer
0 Votes

‎05-19-2015 10:50 - edited ‎05-19-2015 10:53

In response to vizay

‎05-19-2015 10:50 - edited ‎05-19-2015 10:53

@vizay: SSLv3 for requests to the Fitbit API are already disabled. This announcemen is regarding the notifications sent from the Subscriptions API. If your subscriber endpoint uses HTTPS, it must now use TLSv1.

 

There is no test environment, but it's fairly easy to test if your server supports TLSv1.

 

In Linux or Mac OS X, you can use the OpenSSL client like this:

openssl s_client -connect your-server-receiving-notifications.com:443 -tls1

If the first few lines of the response contains a "handshake failure", then your server does not support TLSv1.

Best Answer
0 Votes