Jump to content

Archived

This topic is now archived and is closed to further replies.

gjpinzino

Authorize.net TLS 1.2 Notice

Recommended Posts

I have a client website running osC 2.3.4 using the osC payment module to access the Authorize.net SIM gateway. The site is running well, but the owner have received a notice that TLS 1.0 and 1.1 will be disabled in a few months, and if the site is not using TLS 1.2 transactions will start failing. Is this a problem? How do I proceed on this issue?

Share this post


Link to post
Share on other sites

TLS 1.2 is a function of the server's ability.  Test the site at https://www.ssllabs.com/ssltest/

and see if it handles TLS 1.2.  I use the AIM method of A.net and the current module handles 1.2.  If your module is working fine now and the server can do 1.2 you will be fine.


I'm not really a dog.

Share this post


Link to post
Share on other sites

I have a client website running osC 2.3.4 using the osC payment module to access the Authorize.net SIM gateway. The site is running well, but the owner have received a notice that TLS 1.0 and 1.1 will be disabled in a few months, and if the site is not using TLS 1.2 transactions will start failing. Is this a problem? How do I proceed on this issue?

I think your client misread the message. The one that was sent out, at  least the one I saw, said the test server at authorize.net would not work with the pre-1.2 versions later this year. Most shops go their own lifetime never using the test server so this is not an important announcement, in general. Authorize.net will switch the live server to 1.2 but not for about 13 months. So this is not anything to worry about at this time. Though you should run the test as John mentioned and if your result is not an A then talk to your host about the problems that were found.

Share this post


Link to post
Share on other sites

@@Jack_mcs

Actually, he is correct, and 1.2 must be in use by Sept 18, 2017.  Below is the email.

 

As you may be aware, new PCI DSS requirements state that all payment systems must disable early TLS by 2018. Transport Layer Security (TLS), is a technology used to encrypt sensitive information sent via the Internet. TLS is the replacement for Secure Sockets Layer (SSL).

In preparation for this requirement, Authorize.Net plans to disable TLS 1.0 and TLS 1.1 on the following dates:

Sandbox: COMPLETE
Production: September 18, 2017


We have disabled the sandbox in advance of production to allow you and your developer time to test your website or payment solution and ensure you are no longer using TLS 1.0 or 1.1 prior to September 18th.

Please contact your web developer or payment solution provider, as well as your web hosting company, to confirm that they can support TLS 1.2 for your API connections.

In addition, we plan to retire the 3DES cipher (a data encryption standard) in production soon. However, the date has not yet been finalized. We will notify you once it has.

Please refer your developer or solution provider to our API Best Practices for cipher recommendations, details about TLS 1.2 platform support, and other integration suggestions.

Note: If you are not using the current version of your web browser, please take a few moments to upgrade it now. Browsers released prior to 2014 may not support TLS 1.2. You can check your browser's TLS support by visiting https://www.howsmyssl.com/.

Thank you for your attention to this matter and for being an Authorize.Net merchant.

Sincerely,
Authorize.Net


I'm not really a dog.

Share this post


Link to post
Share on other sites

I wonder how many servers are running that don't support TLS 1.2 at this time?  PCI was pushing for 1.2 sooner but too many servers didn't support it.  I upgraded from a centos 6 server to a centos 7 in December this last year, but I think centos 6 supported 1.2 also.  I was forced to switch because Softlayer was ending support for 32 bit servers.  Cpanel limited 32 bit to WHM 56 also.  I was pissed that I only got 90 day notice, but i've gotten way better at upgrading servers since this is the 4th one I have. 


I'm not really a dog.

Share this post


Link to post
Share on other sites

Thank you all for your enlightened responses. I ran the ssltest and the server got a "T" rating. One of its certificates had expired and so the server is not to be trusted. In addition, the only version of TLS it supports is 1.0. I was amazed! The report indicated that even if the certificate were updated, the server would still receive only a "C" rating. I contacted the hosting provider, and the agent said that the server came pre-configured and would not be upgraded. He said I would have to upgrade to a VPS at about 7 times the monthly charge. I checked another server with the same provider and it got an "A", so I know at least some of their servers are compliant. I am now pushing for a migration to a compliant server.

 

Get ready for some headaches in the coming months as the TLS 1.2 standard get enforced.

Share this post


Link to post
Share on other sites

@@gjpinzino

You might need to change host, but this shouldn't be a big headache.  You have several months and now you now what you need.  A server that only supports TLS 1.0 is running an older OS and you will need to move.  I think @@Jack_mcs does some hosting and is familiar with oscommerce and A.net, so maybe check him out.  Any way you look at it, you will need to move servers.  With a little planning, it's not too hard.


I'm not really a dog.

Share this post


Link to post
Share on other sites

@@John W You are correct.  I misread that email and thought they were only changing the test server for now. Thanks for correcting my mistake.

Share this post


Link to post
Share on other sites

×