FAQ: How do I Enable Support for TLS 1.2?


Version: AbleCommerce (all versions)

Last Updated:  01/19/18

In this Topic Hide

 

What is TLS 1.2?

Secure Socket Layer (SSL) and its successor Transport Layer Security (TLS) are protocols which use cryptographic algorithms to secure the communication between two entities.

SSL was changed to TLS when it was handed over to IETF for standardizing the security protocol layer in 1999. After making few changes to SSL 3.0, IETF released TLS 1.0.

  • SSL 1.0, 2.0 and 3.0

  • TLS 1.0 (or SSL 3.1, released in 1999)

  • TLS 1.1 (or SSL 3.2, released in 2006)

  • TLS 1.2 (or SSL 3.3, released in 2008)

TLS 1.2 (or SSL 3.3) was defined in RFC 5246 in August 2008 and is the most secure version of SSL/TLS protocol available. There have been many recent attacks against older versions of TLS/SSL.  Now, and during the next year, many service providers and payment systems are requiring that TLS 1.2 be the new secure protocol.

New PCI DSS requirements state that all payment systems must disable TLS 1.0 by 2018, but many services have already made changes to stop supporting TLS 1.0 and 1.1.  Anything that is using TLS standard below TLS 1.2 is considered to be non-secure because these older encryption algorithms are known to be cracked. If you haven't already made plans to upgrade your systems, then it is time to start.


Minimum Requirements to Support SSL/TLS 1.2

Technology is changing and if you are not staying updated, then you could be putting your business at serious risk.  The first thing you will want to do is take a look at the server that is hosting your website.  Are you keeping your operating system and applications updated?  If not, it is ime to make the necessary changes to support the most secure technologies.


Windows Operating System

The minimum operating system that will support TLS 1.2 is Windows Server 2008 R2.

Windows Server 2003 and 2008 are no longer supported by Microsoft.  The TLS 1.2 protocol is not available, so if you are still running on a Windows 2003 server, you need to upgrade to a newer server soon.  If you are using Server 2008, then you can upgrade to R2.

For more information, please see: Support for SSL/TLS protocols on Windows


Microsoft Internet Information Server (IIS)

The minimum version of IIS that will support TLS 1.2 is IIS 7.5.

The IIS version is tied to the Windows Server version. You should already be running IIS 7.5 if it is running Windows Server 2008 R2

Microsoft SQL Database Server

If you disable TLS 1.0 and 1.1 on the server, and the connection to AbleCommerce fails with an error, you may need to update your SQL Database Server installation to a Service Pack that supports TLS 1.2.

To find out if you need this update, please see: TLS 1.2 support for Microsoft SQL Server

Microsoft Asp.Net (.NET)

  • .NET 4.6 and above.  You don't need to do any additional work to support TLS 1.2.  It is supported by default.

  • .NET 4.5.  TLS 1.2 is supported, but it's not the default protocol.  A code change is needed in the application's start event.

  • .NET 4.0.  TLS 1.2 is not supported, but if you have .NET 4.5 (or above) installed on the server, then you can force TLS 1.2 even if the application doesn't support it.  However, it requires a different code change in the application's start event.

  • .NET 3.5 - TLS 1.2 is supported, but you need to be using the latest patch from Microsoft.
    Reference: NET Framework 3.5.1 on Windows 7 SP1 and Server 2008 R2 SP1

  • .NET 2.0.  TLS 1.2 is not supported and there is no workaround.

Additionally, AbleCommerce will require minor code changes to support TLS 1.2.  See the section below for more information.


SSL Certificate, Secure Protocols, and Vulnerability

Qualys SSL Labs provides a free online service that will perform a deep analysis of the configuration of any SSL web server.  This is a great place to start to see how your website ranks in terms of SSL quality and whether it is open to attacks..

https://www.ssllabs.com/ssltest/

Simply enter your website name in the form provided and submit.

After a short time, you will see how your site is graded.  A very detailed report will also be provided.  You should strive for an A rating, but don't be too alarmed if your rating is a C or B.  Anything less than this is not good and you should take measures to improve the security of the server.

The main things you should be looking for are:

Signature algorithm = SHA256withRSA

SSL3 = No

SSL2 = No

If you are managing a server and would like an easy way to enable or disable protocols, try using Nartac's IIS Crypto.  It is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows servers.

https://www.nartac.com/Products/IISCrypto/


AbleCommerce PA-DSS Certification and PCI Compliance

Many payment providers are now requiring quarterly scans for PCI compliance.  Tools like IIS Crypto are valuable for making certain that your server is compliant and that you won't be charged excessive fees by your payment provider.

Since 2015, AbleCommerce software was officially certified by the Payment Counsel Industry (Visa/Mastercard) and is PA-DSS 3.1 certified.

PCI Certified versions:

  • AbleCommerce Gold R10 SR1 (released on 9/21/2015)

  • AbleCommerce Gold R11 and SR1

  • AbleCommerce Gold R12 and SR1

  • AbleCommerce Gold R12 SR2

We continue to recertify each major release of AbleCommerce.


Do I need to change AbleCommerce to support TLS 1.2?

Yes, for almost all versions.  Even if your server only supports TLS 1.2, you will still need to force AbleCommerce to use TLS 1.2 by making a few simple code modifications.  Below, find the version of Asp.Net and AbleCommerce you are using and make the following code changes.

Asp.Net 4.6.2 with AbleCommerce Gold R12 SR2

No changes necessary.  This version supports TLS 1.2.


Asp.Net 4.6.2 with AbleCommerce versions Gold R8 through Gold R12 SR1

  1. Find and open the main web.config file in the root folder.

  2. Search on targetFramework="4.5" and change to targetFramework="4.6"

  3. There will be 2 search and replace instances.  Save.  The application pool will automatically restart.


Asp.Net 4.5 with AbleCommerce versions Gold R8 through Gold R12 SR1

  1. Find and open the Global.asax file in the root folder.

  2. Locate the following block of code:

    protected void Application_Start(Object sender, EventArgs e)

{

    // launch timer in five minutes, check file age once per minute

    _timer = new System.Threading.Timer(new System.Threading.TimerCallback(AbleCommerce.Code.GoogleFeed.FeedTimerTask), null, 300000, 60000);

    

    // ENABLE THE MOBILE DETECTION PROVIDER

    System.Web.Configuration.HttpCapabilitiesBase.BrowserCapabilitiesProvider = (System.Web.Configuration.HttpCapabilitiesProvider)AbleContext.Container.Resolve<CommerceBuilder.Services.IMobileDetection>();

}

  1. Add only the code displayed in green below:

protected void Application_Start(Object sender, EventArgs e)

{

    // Enforce the security protocol to TLS 1.2

    System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;

    // launch timer in five minutes, check file age once per minute

    _timer = new System.Threading.Timer(new System.Threading.TimerCallback(AbleCommerce.Code.GoogleFeed.FeedTimerTask), null, 300000, 60000);

    

    // ENABLE THE MOBILE DETECTION PROVIDER

    System.Web.Configuration.HttpCapabilitiesBase.BrowserCapabilitiesProvider = (System.Web.Configuration.HttpCapabilitiesProvider)AbleContext.Container.Resolve<CommerceBuilder.Services.IMobileDetection>();

}

 

Asp.Net 4.0 with AbleCommerce versions Gold through Gold R7

  1. Find and open the Global.asax file in the root folder.

  2. Locate the following block of code:

    protected void Application_Start(Object sender, EventArgs e)

{

    // launch timer in five minutes, check file age once per minute

    _timer = new System.Threading.Timer(new System.Threading.TimerCallback(AbleCommerce.Code.GoogleFeed.FeedTimerTask), null, 300000, 60000);

    

    // ENABLE THE MOBILE DETECTION PROVIDER

    System.Web.Configuration.HttpCapabilitiesBase.BrowserCapabilitiesProvider = (System.Web.Configuration.HttpCapabilitiesProvider)AbleContext.Container.Resolve<CommerceBuilder.Services.IMobileDetection>();

}

  1. Add only the code displayed in green below:

protected void Application_Start(Object sender, EventArgs e)

{

    // Enforce the security protocol to TLS 1.2

    System.Net.ServicePointManager.SecurityProtocol = (System.Net.SecurityProtocolType)3072;

    // launch timer in five minutes, check file age once per minute

    _timer = new System.Threading.Timer(new System.Threading.TimerCallback(AbleCommerce.Code.GoogleFeed.FeedTimerTask), null, 300000, 60000);

    

    // ENABLE THE MOBILE DETECTION PROVIDER

    System.Web.Configuration.HttpCapabilitiesBase.BrowserCapabilitiesProvider = (System.Web.Configuration.HttpCapabilitiesProvider)AbleContext.Container.Resolve<CommerceBuilder.Services.IMobileDetection>();

}

 

Asp.Net 3.5 with AbleCommerce versions 7.0.3 through 7.0.7

  1. Find and open the Global.asax file in the root folder.

  2. Before the ending </script> tag, add the following block of code displayed in green below:

    protected void Application_Start(Object sender, EventArgs e)

{

    // Enforce the security protocol to TLS 1.2

    System.Net.ServicePointManager.SecurityProtocol = (System.Net.SecurityProtocolType)3072;

}

 

Asp.Net 3.5 with AbleCommerce version 7.0.2

Although this is not officially supported, we are currently checking with our development team to see if we can provide a work-around soon.

 

 

Copyright © 1994 - 2024 AbleCommerce.com, All rights Reserved

eCommerce shopping cart software platform