Make UPS and FedEx rating service requests to use TLS 1.2?

For general questions and discussions specific to the AbleCommerce GOLD ASP.Net shopping cart software.
Post Reply
jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Make UPS and FedEx rating service requests to use TLS 1.2?

Post by jguengerich » Tue Sep 29, 2015 7:14 am

I would like to make the requests for rates that are sent to UPS and FedEx use TLS 1.2. However, if I disable TLS 1.0 client in the registry of the server (HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client), I get the following error for each rate:
System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
I found what might be a solution, except that it requires .NET 4.5: use

Code: Select all

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
I haven't tested that yet because I didn't want to spend a bunch of time installing .NET 4.5 on my test server, then testing to see if AC would run on it, only to find out it doesn't work.
Has anyone successfully forced their AC Gold site to use TLS 1.2 when retrieving rates from UPS and FedEx?
Jay

User avatar
Shopping Cart Admin
AbleCommerce Admin
AbleCommerce Admin
Posts: 3055
Joined: Mon Dec 01, 2003 8:41 pm
Location: Vancouver, WA
Contact:

Re: Make UPS and FedEx rating service requests to use TLS 1.2?

Post by Shopping Cart Admin » Tue Sep 29, 2015 9:08 am

Hello Jay,

There is absolutely zero reason for this change as it has nothing to do with credit cards, the TLS 1.0 exploit is so obscure that no one has found any actual threats to using it. It's all lab theory. TLS 1.0 is still fine even for credit cards late into 2016. Wasn't until the 15th of this month you could even disable TLS 1.0 without killing your remote access software on the server. I wouldn't consider disabling TLS 1.0 TO your server until the very minute as it will stop older browsers and devices from being able to shop your store.

You don't mention what version of AbleCommerce GOLD your running, but .net 4.5 is directly supported in R8 and above. But since 4.5 is still 4.0 in IIS, you can install it and use it with older versions of Gold with the existing web.config it will continue to run in 4.0 mode.
Thanks for your support

Shopping Cart Guru
AbleCommerce.com
Follow us on Facebook

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: Make UPS and FedEx rating service requests to use TLS 1.2?

Post by jguengerich » Tue Sep 29, 2015 9:45 am

I didn't think I was implying it was needed, and I know it doesn't involve credit card information. I'm interested if it is possible. UPS indicates that they support TLS 1.2, so I'm trying to figure out if I can make it work in AC.

Thanks for the info on R8 and 4.5, I did go back and look over the change notes after I posted the question and saw it mentioned, but hadn't got around to editing my post yet.
Jay

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: Make UPS and FedEx rating service requests to use TLS 1.2?

Post by jguengerich » Tue Oct 06, 2015 6:52 am

OK, this is weird, I just got this email from UPS:
Security Upgrade Required for UPS® Developer Kit APIs

Action is Required

UPS is in the process of upgrading communication security protocols for all web-based applications, including UPS Developer Kit Application Programming Interfaces (APIs), which are used to integrate UPS functionality into your website and applications.

Effective May 31, 2016, UPS will require the TLS 1.2 security protocol. After that date, any communication requests submitted to UPS using older protocols (TLS 1.1 or earlier) will fail.
No, I didn't have advance warning from UPS :). I was guessing that it might eventually happen, though, and I wanted to be prepared so I wouldn't have to scramble at the last minute.

So, back to my original question, does anyone have any information on how to make an AC GOLD site use TLS 1.2 to query UPS rates?

User avatar
Katie
AbleCommerce Admin
AbleCommerce Admin
Posts: 2651
Joined: Tue Dec 02, 2003 1:54 am
Contact:

Re: Make UPS and FedEx rating service requests to use TLS 1.2?

Post by Katie » Wed Oct 07, 2015 4:09 am

Hi Jay,

It has always been my understanding that AbleCommerce doesn't care anything about the SSL protocols. This is a communication between two servers and our software is not involved. I am linking another discussion -

viewtopic.php?f=65&t=18172

Please see the last post by Neal.
Thank you for choosing AbleCommerce!

http://help.ablecommerce.com - product support
http://wiki.ablecommerce.com - developer support

User avatar
NC Software
AbleCommerce Partner
AbleCommerce Partner
Posts: 4620
Joined: Mon Sep 13, 2004 6:06 pm
Contact:

Re: Make UPS and FedEx rating service requests to use TLS 1.2?

Post by NC Software » Wed Oct 07, 2015 6:34 am

I don't know the code AC GOLD is using as there is code that could force the SSL connection params but I highly doubt AC is using it. The handshake is typically between the receiver (UPS side) and the caller based on how the receiver answers. So again, it is possible in .NET to force to a specific protocol but I doubt that is being done.
Neal Culiner
NC Software, Inc.

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: Make UPS and FedEx rating service requests to use TLS 1.2?

Post by jguengerich » Wed Oct 07, 2015 7:06 am

I didn't think it would be specific to AC GOLD either, but as I mentioned in my original post, if I configure the server's TLS client settings to only use TLS 1.2, shipping rate requests do not connect to UPS. Anyone else have time to try disabling TLS 1.0/1.1 and see if they can sucessfully retrieve shipping rate requests?
For comparison, my server is Windows 2008 R2 / IIS 7.5 / .NET 4
Jay

User avatar
NC Software
AbleCommerce Partner
AbleCommerce Partner
Posts: 4620
Joined: Mon Sep 13, 2004 6:06 pm
Contact:

Re: Make UPS and FedEx rating service requests to use TLS 1.2?

Post by NC Software » Wed Oct 07, 2015 7:14 am

Sorry Jay, I didn't read the full post this time, just reviewing latest activity. With all due respect "don't do that" :) Let the server do its thing, if you want to make the changes per Microsoft for the POODLE issue that's good but let the server do its job but what you do with your server is entirely up to you, of course. Just my $.02 here.
Neal Culiner
NC Software, Inc.

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: Make UPS and FedEx rating service requests to use TLS 1.2?

Post by jguengerich » Wed Oct 07, 2015 7:23 am

Neal,

I'm trying to make sure requests sent to UPS work with TLS 1.2, so at the end of May I don't suddenly have a problem that I can't fix. Disabling TLS 1.0 and 1.1 on the server was the only way I could think of to force it to use TLS 1.2 when contacting UPS.
Jay

User avatar
NC Software
AbleCommerce Partner
AbleCommerce Partner
Posts: 4620
Joined: Mon Sep 13, 2004 6:06 pm
Contact:

Re: Make UPS and FedEx rating service requests to use TLS 1.2?

Post by NC Software » Wed Oct 07, 2015 7:33 am

jguengerich wrote:Neal,

I'm trying to make sure requests sent to UPS work with TLS 1.2, so at the end of May I don't suddenly have a problem that I can't fix. Disabling TLS 1.0 and 1.1 on the server was the only way I could think of to force it to use TLS 1.2 when contacting UPS.
I don't believe that is correct. Turning OFF protocols doesn't force a protocol to be used. You can have 200 protocols available for your server to communicate with my server, however, if my server only accepts TLS 1.2 then that is how your server will connect with mine. I suggest posting your question to http://serverfault.com

What UPS and others are telling you is make sure your SSL Certificates are compatible and keyed properly I believe.
Neal Culiner
NC Software, Inc.

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: Make UPS and FedEx rating service requests to use TLS 1.2?

Post by jguengerich » Tue Oct 13, 2015 8:52 am

Here is what I have discovered so far.

Initial server setup:
Server: Windows 2008 R2
IIS: 7.5
.NET: 4.0
AbleCommerce GOLD: R5 (WSP) with modifications

Using WireShark, I could see that the calls to UPS and FedEx were using TLS 1.0.
Disabled TLS 1.0 client in the Windows registry: connection attempts failed.
Installed .NET 4.5.2 on server (TLS 1.0 client still disabled in registry): connection attempts failed.
Added this code in Application_Start in Global.asax (TLS 1.0 client still disabled in registry, .NET 4.5.2 still installed):

Code: Select all

System.Net.ServicePointManager.SecurityProtocol = (System.Net.SecurityProtocolType)3072;    //in .NET 4.5, this is System.Net.SecurityProtocolType.Tls12;
Now rates are returned (UPS and FedEx), Wireshark shows TLS 1.2.
Note that I did not change the target of the AC project to .NET 4.5. Therefore, I had to cast the correct value to System.Net.SecurityProtocolType instead of using the constant System.Net.SecurityProtocolType.Tls12, which isn't defined in .NET 4.0.

I don't know what the results would be with Windows Server 2012+, IIS 8+, AC Gold R6+ unmodified install, etc.

EDIT: added clarification that changes were carried through at each step, specified where in Global.asax I added code.
Jay

User avatar
NC Software
AbleCommerce Partner
AbleCommerce Partner
Posts: 4620
Joined: Mon Sep 13, 2004 6:06 pm
Contact:

Re: Make UPS and FedEx rating service requests to use TLS 1.2?

Post by NC Software » Wed Oct 14, 2015 12:32 pm

Again - not an expert here but just stating my theory. If UPS right now is accepting TLS 1.0 and you can handshake with it then it will connect. When UPS restricts to TLS 1.2 then you will handshake with that and connect as such. Just like SSL, I bet most here don't even realize there is SSL 1, 2, and 3 variants because we don't have to. Or at least didn't until POODLE made people realize the differences.
Neal Culiner
NC Software, Inc.

Post Reply