TLS1.2 compliant

[keat]

I received the following email from Pay360 this morning regarding updates to TLS.

My server is TLS1.2 complaint (that i can gather)

However, will this affect the payment gateway plugin at all. ??

 

Overview  

We are contacting you today to inform you of some upcoming changes to our infrastructure that may require action on your part.  

From May 2018, we are removing support for TLS 1.0 and 1.1 ciphers as they will no longer be considered PCI compliant transfer protocols. We are also moving to a new IP address range for both inbound and outbound communications. 

 

What is changing?  

We will be upgrading our external connection protocols by deprecating support for TLS 1.0 and 1.1 and enforcing TLS 1.2 communication for all inbound connections to Pay360. TLS version 1.2 has existed since 2008 and is supported as standard by most network devices and supported versions of all major operating systems. 

As part of the upgrade to TLS 1.2 we are increasing the size of some cryptographic keys that we generate - this is explained in more detail below.

At the same time as the above changes, we are also moving to a new IP address range. This will affect both inbound and outbound requests. There will be more to follow on our new IP space in January 2018.

 

 

And it goes on and on and on.

[havenswift-hosting]

1 minute ago, keat said:

We will be upgrading our external connection protocols by deprecating support for TLS 1.0 and 1.1 and enforcing TLS 1.2 communication for all inbound connections to Pay360. TLS version 1.2 has existed since 2008 and is supported as standard by most network devices and supported versions of all major operating systems. 

That is the interesting part and actually the first time I have seen any payment gateway say how long TLS1.2 has been available.  Most gateway companies, PayPal in particular, word their emails like they are at the forefront of security technology and many people have been worried about this.  As these people say almost all hosting / browsers etc have supported TLS1.2 for years already and even more importantly TLS1.0 and TLS1.1 should have been removed as supported technologies several years ago after they were shown to be massive flawed.  TLS1.3 is in the final stages (of a very long time) before general release which is a massive leap forward in online security.

Ian

[bsmither]

It takes two to tango. Therefore, when the other guy is speaking only TLS1.2, then your server had better be speaking TLS1.2 as well.

In CubeCart admin, PHP Info, at the bottom of the top chart, look in "Registered Stream Socket Transports". Make sure TLS1.2 is listed.

Then, in the CURL table, "SSL Version", make sure you are running OpenSSL v1.0.2+.

[keat]

All present and correct.

[bsmither]

The payment gateway relies on CubeCart, CubeCart relies on PHP, and PHP relies on the CURL and OpenSSL extensions (CURL may or may not rely on an external SSL/TLS library).

Looks like you are good to go.

[keat]

Further to this, I received another email this morning stating that the test endpoints are now ready.

 

However, the email also mentions:

As well as removing support for older TLS ciphers, we need to increase the length of the key for ciphers that use Diffie-Hellman keys from 1,024 to 2,048 bits in order to ensure a higher level of cryptographic protection. Merchants will need to ensure their integrations can support this key length. Although we can monitor which TLS ciphers merchants are using, we have no way of knowing who will be able to support the increased DH key length so merchants are strongly advised to use our test endpoint to confirm they can support the increased key length before that time. 

On the 9^th May 2018, during our regular maintenance window, we will broadcast for ONE HOUR using an increased Diffie-Hellman 2,048-bit key size. This will help us to identify merchants who are not compliant, and proactively allow us to notify you ahead of the full switch-over on 6^th June. 

 

Is this going to affect the gateway module at all.