FAQ: How do I Enable Support for TLS 1.2?


Version
: AbleCommerce Gold (all versions)

Last Updated:  11/07/17

What is TLS 1.2?

Secure Socket Layer (SSL) and its successor Transport Layer Security (TLS) are protocols which use cryptographic algorithms to secure the communication between two entities.

SSL was changed to TLS when it was handed over to IETF for standardizing the security protocol layer in 1999. After making few changes to SSL 3.0, IETF released TLS 1.0.

  • SSL 1.0, 2.0 and 3.0

  • TLS 1.0 (or SSL 3.1, released in 1999)

  • TLS 1.1 (or SSL 3.2, released in 2006)

  • TLS 1.2 (or SSL 3.3, released in 2008)

TLS 1.2 (or SSL 3.3) was defined in RFC 5246 in August 2008 and is the most secure version of SSL/TLS protocol available. There have been many recent attacks against older versions of TLS/SSL.  Now, and during the next year, many service providers and payment systems are requiring that TLS 1.2 be the new secure protocol.

New PCI DSS requirements state that all payment systems must disable TLS 1.0 by 2018, but many services have already made changes to stop supporting TLS 1.0 and 1.1.  Anything that is using TLS standard below TLS 1.2 is considered to be non-secure because these older encryption algorithms are known to be cracked. If you haven't already made plans to upgrade your systems, then it is time to start.


Minimum Requirements to Support SSL/TLS 1.2

Technology is changing and if you are not staying updated, then you could be putting your business at serious risk.  The first thing you will want to do is take a look at the server that is hosting your website.  Are you keeping your operating system and applications updated?  We often hear from businesses running AbleCommerce that they let go of their IT department.  These are the folks that make sure your server is updated and secure.  So, if you don't have anyone who is responsible for the server and your website, it is time to find one.


Windows Operating System

The minimum operating system that will support TLS 1.2 is Windows Server 2008 R2.

Windows Server 2003 and 2008 are no longer supported by Microsoft.  The TLS 1.2 protocol is not available, so if you are still running on a Windows 2003 server, you need to upgrade to a newer server soon.  If you are using Server 2008, then you can upgrade to R2.

For more information, please see: Support for SSL/TLS protocols on Windows


Microsoft Internet Information Server (IIS)

The minimum version of IIS that will support TLS 1.2 is IIS 7.5.

The IIS version is tied to the Windows Server version. You should already be running IIS 7.5 if it is running Windows Server 2008 R2

Microsoft SQL Database Server

If you disable TLS 1.0 and 1.1 on the server, and the connection to AbleCommerce fails with an error, then you may need to update your SQL Database Server installation to a Service Pack that supports TLS 1.2.

To find out if you need this update, please see: TLS 1.2 support for Microsoft SQL Server

Microsoft Asp.Net (.NET)

  • .NET 4.6 and above.  You don't need to do any additional work to support TLS 1.2.  It is supported by default.

  • .NET 4.5.  TLS 1.2 is supported, but it's not the default protocol.  A code change is needed in the application's start event.

  • .NET 4.0.  TLS 1.2 is not supported, but if you have .NET 4.5 (or above) installed on the server, then you can force TLS 1.2 even if the application doesn't support it.  However, it requires a different code change in the application's start event.

  • .NET 3.5 or below.  TLS 1.2 is not supported and there is no workaround.  Upgrade your application to the more recent version of the Asp.Net framework.

Additionally, AbleCommerce will require minor code changes to support TLS 1.2.  See the section below for more information.


SSL Certficate, Secure Protocols, and Vulnerability

Qualys SSL Labs provides a free online service that will perform a deep analysis of the configuration of any SSL web server.  This is a great place to start to see how your website ranks in terms of SSL quality and whether it is open to attacks..

https://www.ssllabs.com/ssltest/

Simply enter your website name in the form provided and submit.

After a short time, you will see how your site is graded.  A very detailed report will also be provided.  You should strive for an A rating, but don't be too alarmed if your rating is a C or B.  Anything less than this is not good and you should take measures to improve the security of the server.

The main things you should be looking for are:

Signature algorithm = SHA256withRSA

SSL3 = No

SSL2 = No

If you are managing a server and would like an easy way to enable or disable protocols, try using Nartac's IIS Crypto.  It is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows servers.

https://www.nartac.com/Products/IISCrypto/


AbleCommerce PA-DSS Certification and PCI Compliance

Many payment providers are now requiring quarterly scans for PCI compliance.  Tools like IIS Crypto are valuable for making certain that your server is compliant and that you won't be charged excessive fees by your payment provider.

Since 2015, AbleCommerce software was officially certified by the Payment Counsel Industry (Visa/Mastercard) and is PA-DSS 3.1 certified.

PCI Certified versions:

  • AbleCommerce Gold R10 SR1 (released on 9/21/2015)

  • AbleCommerce Gold R11 and SR1

  • AbleCommerce Gold R12 and SR1

  • AbleCommerce Gold R12 SR2

We continue to recertify each major release of AbleCommerce.


Do I need to change AbleCommerce to support TLS 1.2?

Yes, you may need to make simple code modifications to support TLS 1.2.  Below, find the version of Asp.Net and AbleCommerce you are using and make the following code changes.

Asp.Net 4.6.2 with AbleCommerce Gold R12 SR2

No changes necessary.  This version supports TLS 1.2.


Asp.Net 4.6.2 with AbleCommerce Gold R8 to Gold R12 SR1

  1. Find and open the main web.config file in the root folder.

  2. Search on targetFramework="4.5" and change to targetFramework="4.6"

  3. There will be 2 search and replace instances.  Save.  The application pool will automatically restart.


Asp.Net 4.5 with AbleCommerce Gold R8 to Gold R12 SR1

  1. Find and open the Global.asax file in the root folder.

  2. Locate the following block of code:

    protected void Application_Start(Object sender, EventArgs e)

{

    // launch timer in five minutes, check file age once per minute

    _timer = new System.Threading.Timer(new System.Threading.TimerCallback(AbleCommerce.Code.GoogleFeed.FeedTimerTask), null, 300000, 60000);

    

    // ENABLE THE MOBILE DETECTION PROVIDER

    System.Web.Configuration.HttpCapabilitiesBase.BrowserCapabilitiesProvider = (System.Web.Configuration.HttpCapabilitiesProvider)AbleContext.Container.Resolve<CommerceBuilder.Services.IMobileDetection>();

}

  1. Add only the code displayed in green below:

protected void Application_Start(Object sender, EventArgs e)

{

    // Enforce the security protocol to TLS 1.2

    System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;

    // launch timer in five minutes, check file age once per minute

    _timer = new System.Threading.Timer(new System.Threading.TimerCallback(AbleCommerce.Code.GoogleFeed.FeedTimerTask), null, 300000, 60000);

    

    // ENABLE THE MOBILE DETECTION PROVIDER

    System.Web.Configuration.HttpCapabilitiesBase.BrowserCapabilitiesProvider = (System.Web.Configuration.HttpCapabilitiesProvider)AbleContext.Container.Resolve<CommerceBuilder.Services.IMobileDetection>();

}

 

Asp.Net 4.0 with AbleCommerce Gold R7 and lower

  1. Find and open the Global.asax file in the root folder.

  2. Locate the following block of code:

    protected void Application_Start(Object sender, EventArgs e)

{

    // launch timer in five minutes, check file age once per minute

    _timer = new System.Threading.Timer(new System.Threading.TimerCallback(AbleCommerce.Code.GoogleFeed.FeedTimerTask), null, 300000, 60000);

    

    // ENABLE THE MOBILE DETECTION PROVIDER

    System.Web.Configuration.HttpCapabilitiesBase.BrowserCapabilitiesProvider = (System.Web.Configuration.HttpCapabilitiesProvider)AbleContext.Container.Resolve<CommerceBuilder.Services.IMobileDetection>();

}

  1. Add only the code displayed in green below:

protected void Application_Start(Object sender, EventArgs e)

{

    // Enforce the security protocol to TLS 1.2

    System.Net.ServicePointManager.SecurityProtocol = (System.Net.SecurityProtocolType)3072;

    // launch timer in five minutes, check file age once per minute

    _timer = new System.Threading.Timer(new System.Threading.TimerCallback(AbleCommerce.Code.GoogleFeed.FeedTimerTask), null, 300000, 60000);

    

    // ENABLE THE MOBILE DETECTION PROVIDER

    System.Web.Configuration.HttpCapabilitiesBase.BrowserCapabilitiesProvider = (System.Web.Configuration.HttpCapabilitiesProvider)AbleContext.Container.Resolve<CommerceBuilder.Services.IMobileDetection>();

}

 

 

 

Copyright © 1994 - 2017 AbleCommerce.com, All rights Reserved | Privacy Policy

A division of Able Solutions Corporation - Vancouver, WA