Authorize.Net TLS 1.2 Requirements

For general questions and discussions specific to the AbleCommerce GOLD ASP.Net shopping cart software.
User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Authorize.Net TLS 1.2 Requirements

Post by AbleMods » Mon Sep 25, 2017 11:01 pm

As you probably know, AuthNet is forcing TLS 1.2 early next year. Currently the Sandbox API is already forcing TLS 1.2 so implementations can be tested ahead of time.

After disabling TLS 1.0 on the web server and rebooting, I was still not able to connect a Gold R12 store to the sandbox. I had to modify the AuthNetCIM provider to force TLS 1.2 using:

Code: Select all

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; // .NET 4.5
Has this been addressed by Able developers? Can someone else confirm this is the expected behavior and the correct solution?
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: Authorize.Net TLS 1.2 Requirements

Post by AbleMods » Mon Sep 25, 2017 11:36 pm

UPDATE:

What about shipping gateways like UPS or FedEx? Does the Able code support disabling TLS 1.0? Has that been tested?
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: Authorize.Net TLS 1.2 Requirements

Post by jguengerich » Tue Sep 26, 2017 1:33 am

I have the same line in Global.asax as you posted, and I have completely disabled the SSL 3, TLS 1.0 and TLS 1.1 clients on my web server via the registry. UPS and FedEx quotes work fine. Can't comment on other shipping providers, those are the only ones I use.

EDIT: As mentioned in another thread, this also requires the SQL Server the site is using to be at a version and/or SP that supports TLS 1.2.
Jay

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: Authorize.Net TLS 1.2 Requirements

Post by AbleMods » Tue Sep 26, 2017 1:43 am

jguengerich wrote:I have the same line in Global.asax as you posted
Hold the phone. You can just slap that in Global.asax? You don't have to modify/recompile each of the individual gateway class libraries??
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: Authorize.Net TLS 1.2 Requirements

Post by jguengerich » Tue Sep 26, 2017 1:57 am

Global.asax is the only place I have it. I have recompiled the CyberSource gateway library for other reasons, but I didn't add it there and it works. Same with FedEx. Not sure how the fact that I disabled SSL / TLS < 1.2 client on the server affects this though.

EDIT: In Global.asax, I put it at the end of the Application_Start function.

Code: Select all

System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
Jay

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: Authorize.Net TLS 1.2 Requirements

Post by jguengerich » Tue Sep 26, 2017 2:05 am

The more I think about it, I added that line in Global.asax before I disabled the lower versions of TLS on the server. Now that I've done that, I might not even need that line in Global.asax, because TLS 1.2 is the only option it has left based on the server configuration. Don't have time to test it though. "If it ain't broke, don't fix it." :)
Jay

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: Authorize.Net TLS 1.2 Requirements

Post by AbleMods » Tue Sep 26, 2017 10:48 pm

When I tried disabling TLS 1.0 and 1.1, AuthNet, UPS and FedEx all started failing to communicate.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: Authorize.Net TLS 1.2 Requirements

Post by jguengerich » Wed Sep 27, 2017 2:00 am

Did you restart the server (or at least IIS) after changing global.asax?

I did also mess with the cipher suites in the registry, but I'm pretty sure that was only to remove old ones that were less secure, not add anything new. Maybe I changed the order, though. Sorry, I should keep better notes :( .

Here's my relevant registry entries, if it helps. This is on Windows Server 2008 R2 Standard.

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA"

Jay

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: Authorize.Net TLS 1.2 Requirements

Post by AbleMods » Wed Sep 27, 2017 2:21 am

yea restarting is required for any of these changes.

This is a Server 2012 R2 box. We've been using IISCrypto to make the changes, quite handy.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: Authorize.Net TLS 1.2 Requirements

Post by jguengerich » Wed Sep 27, 2017 2:40 am

I used IIS Crypto too, but I think at some point there was something that I couldn't specify correctly in whatever version of it was current at the time. I don't remember what it was though - my lack of good notes rears it's head again :).
Jay

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: Authorize.Net TLS 1.2 Requirements

Post by jguengerich » Wed Sep 27, 2017 2:52 am

I just noticed in the registry entries I posted that TLS 1.0 client is still enabled. I thought I had disabled everything except 1.2. I guess I have some more testing to do. I will update here if I get it to work w/o TLS 1.0 client enabled.
Jay

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: Authorize.Net TLS 1.2 Requirements

Post by jguengerich » Wed Sep 27, 2017 3:19 am

My test environment (my test server communicating with CyberSource, UPS, and FedEx test servers) works OK with just TLS 1.2 enabled in the registry. Probably won't be able to test my production environment until this weekend.
Jay

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: Authorize.Net TLS 1.2 Requirements

Post by AbleMods » Wed Sep 27, 2017 3:31 am

Appreciate your updates. This is a challenging scenario which I think will impact a great many systems.

Our mistake has been running the test site on the same physical server as the production site. Makes perfect sense most of the time, until you have to test something like this. Any server-level change impacts both test and production and that's not ideal.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

sweeperq
Commodore (COMO)
Commodore (COMO)
Posts: 497
Joined: Tue Jan 03, 2006 2:45 pm

Re: Authorize.Net TLS 1.2 Requirements

Post by sweeperq » Wed Sep 27, 2017 6:12 am

Joe, System.Net.ServicePointManager.SecurityProtocol is indeed an application-wide setting that only needs to be set once. We tackled this issue just recently on AC7 (viewtopic.php?f=42&t=19115). There is source code for a test page on that link that will allow you to see which protocols are working.

User avatar
jmestep
AbleCommerce Angel
Posts: 8164
Joined: Sun Feb 29, 2004 8:04 pm
Location: Dayton, OH
Contact:

Re: Authorize.Net TLS 1.2 Requirements

Post by jmestep » Wed Sep 27, 2017 9:43 pm

Joe,
When I tried disabling TLS 1.0 and 1.1, AuthNet, UPS and FedEx all started failing to communicate.
If I remember correctly, we ran into the same problem with UPS or Fedex in the spring. As part of a a Paypal TLS 1.2 patch for AC7, I tried putting

Code: Select all

// Enforce the security protocol to TLS 1.2

    System.Net.ServicePointManager.SecurityProtocol = (System.Net.SecurityProtocolType)3072;
into the global.asax in addition to changes in the Paypal dll and I ran into the problem. (TLS 1.2 was enabled on the server already) I never did anymore troubleshooting because it wasn't really necessary in this case and I don't manage the servers- I just took the code out.
Judy Estep
Web Developer
jestep@web2market.com
http://www.web2market.com
708-653-3100 x209
New search report plugin for business intelligence:
http://www.web2market.com/Search-Report ... -P154.aspx

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: Authorize.Net TLS 1.2 Requirements

Post by AbleMods » Thu Sep 28, 2017 2:47 am

sweeperq wrote:Joe, System.Net.ServicePointManager.SecurityProtocol is indeed an application-wide setting that only needs to be set once. We tackled this issue just recently on AC7 (viewtopic.php?f=42&t=19115). There is source code for a test page on that link that will allow you to see which protocols are working.
*BAM* that's what I was looking for. Thanks so much for the link!

This forum search blows. I specifically searched for 'authorize.net' (search.php?st=0&sk=t&sd=d&keywords=%2Ba ... 65&start=0 and your thread doesn't even come up in the results. Thus why I posted mine. Sorry for the duplication.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: Authorize.Net TLS 1.2 Requirements

Post by jguengerich » Thu Sep 28, 2017 3:01 am

This forum search blows. I specifically searched for 'authorize.net' (search.php?st=0&sk=t&sd=d&keywords=%2Ba ... 65&start=0 and your thread doesn't even come up in the results. Thus why I posted mine. Sorry for the duplication.
That's weird, when I click your link I don't see it on the first page of results, but if I type authorize.net in the search box, one of the posts from that thread shows up as the 28th item. I've had problems with search before too; if you only type in 3 characters, you don't get results. Someone pointed me to the search tool at ablecommerce.net.
Jay

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: Authorize.Net TLS 1.2 Requirements

Post by AbleMods » Thu Sep 28, 2017 3:07 am

This forum is ancient, really needs replaced. So many technical questions are answered here, the search feature is key to it's usefulness beyond simple conversation.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

User avatar
compunerdy
Admiral (ADM)
Admiral (ADM)
Posts: 1283
Joined: Sun Nov 18, 2007 3:55 pm

Re: Authorize.Net TLS 1.2 Requirements

Post by compunerdy » Thu Sep 28, 2017 4:03 am

Wow did this post take me down a rabbits hole.. I did get my SSL labs test upgraded to a A though.

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: Authorize.Net TLS 1.2 Requirements

Post by jguengerich » Mon Oct 02, 2017 1:54 am

I had a chance to work on my live site over the weekend. I have just TLS 1.2 in the global.asax file, and now I have only TLS 1.2 Client and Server enabled in the registry. It works fine for CyberSource, UPS, and FedEx. I used WireShark to verify that it is using TLS 1.2 for all 3. I don't remember having to change anything else, and I don't see anything in my (admittedly limited) notes that indicates I did anything else related to forcing everything to use TLS 1.2. I'm not quite sure how to interpret your response to sweeperq's post. Are you saying that your AuthNet is now connecting with TLS 1.2, and UPS / FedEx are connecting with 1.0 or 1.1? Or are they all using TLS 1.2?
Jay

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: Authorize.Net TLS 1.2 Requirements

Post by AbleMods » Mon Oct 02, 2017 2:44 am

jguengerich wrote:I'm not quite sure how to interpret your response to sweeperq's post. Are you saying that your AuthNet is now connecting with TLS 1.2, and UPS / FedEx are connecting with 1.0 or 1.1? Or are they all using TLS 1.2?
When I disabled everything but TLS 1.2 on the server, all the gateways failed to communicate. AuthNet, UPS and FedEx all threw Crypto errors. Turned TLS 1.0 and TLS 1.1 back on, rebooted, everything went back to normal.

That was totally unexpected to me. I figured everything would be fine since TLS 1.2 is going up, not down.

I'm going to give the global.asax change a try this week, probably early tomorrow morning. Will update here with my results.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

User avatar
Naveed
Rear Admiral (RADM)
Rear Admiral (RADM)
Posts: 611
Joined: Thu Apr 03, 2008 4:48 am

Re: Authorize.Net TLS 1.2 Requirements

Post by Naveed » Mon Oct 02, 2017 5:05 pm

Please check this article for "Enabling Support for TLS 1.2" For Able-commerce (all versions):

http://help.ablecommerce.com/faqs/ablec ... ls_1.2.htm

User avatar
AbleMods
Master Yoda
Master Yoda
Posts: 5170
Joined: Wed Sep 26, 2007 5:47 am
Location: Fort Myers, Florida USA

Re: Authorize.Net TLS 1.2 Requirements

Post by AbleMods » Tue Oct 03, 2017 12:39 am

Thanks Naveed, that's a good document.

I went the route of updating Global.asax this morning and updated both framework references to 4.6. Disabled TLS 1.0 and 1.1 using IISCrypto and restarted the server.

The site came back up just fine. I tested AuthNet with live information and it processed correctly. Also tested shipping gateways, no problems or error log messages there.

I think we are ok at this point. Will continue to monitor throughout the day. Still no idea why integrated carriers failed last time I did this...maybe it was just a fluke.
Joe Payne
AbleCommerce Custom Programming and Modules http://www.AbleMods.com/
AbleCommerce Hosting http://www.AbleModsHosting.com/
Precise Fishing and Hunting Time Tables http://www.Solunar.com

User avatar
compunerdy
Admiral (ADM)
Admiral (ADM)
Posts: 1283
Joined: Sun Nov 18, 2007 3:55 pm

Re: Authorize.Net TLS 1.2 Requirements

Post by compunerdy » Thu Oct 05, 2017 3:55 am

I did the global.asax to force TLS 1.2 but when I Disabled 1.0 and 1.1 and rebooted the site would not come up.

This is the only error I saw in event viewer..

Code: Select all

Exception information: 
    Exception type: SqlException 
    Exception message: A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The client and server cannot communicate, because they do not possess a common algorithm.)
   at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection)
   at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection)
   at System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection)
   at System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)
   at System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource`1 retry)
   at System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry)
   at System.Data.SqlClient.SqlConnection.Open()
   at NHibernate.Connection.DriverConnectionProvider.GetConnection()
   at NHibernate.Tool.hbm2ddl.SuppliedConnectionProviderConnectionHelper.Prepare()
   at NHibernate.Tool.hbm2ddl.SchemaMetadataUpdater.GetReservedWords(Dialect dialect, IConnectionHelper connectionHelper)
   at NHibernate.Tool.hbm2ddl.SchemaMetadataUpdater.Update(ISessionFactory sessionFactory)
   at NHibernate.Impl.SessionFactoryImpl..ctor(Configuration cfg, IMapping mapping, Settings settings, EventListeners listeners)
   at NHibernate.Cfg.Configuration.BuildSessionFactory()
   at CommerceBuilder.Common.DatabaseConfiguration.get_SessionFactory()
   at CommerceBuilder.Common.DatabaseSessionManager.GetSession()
   at CommerceBuilder.DomainModel.NHibernateHelper.QueryOver[T]()
   at CommerceBuilder.Services.StoreLocator.LocateCurrent()
   at CommerceBuilder.Common.AbleContext.get_Store()
   at CommerceBuilder.UI.AbleCommercePage.InitializeTheme()
   at System.Web.UI.Page.OnPreInit(EventArgs e)
   at System.Web.UI.Page.PerformPreInit()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

The client and server cannot communicate, because they do not possess a common algorithm

jguengerich
Commodore (COMO)
Commodore (COMO)
Posts: 436
Joined: Tue May 07, 2013 1:59 pm

Re: Authorize.Net TLS 1.2 Requirements

Post by jguengerich » Thu Oct 05, 2017 4:01 am

If you disable TLS 1.0 and 1.1 Clients in the registry, your SQL server will have to support TLS 1.2.

See Microsoft's info here: https://support.microsoft.com/en-us/hel ... sql-server

On another thread, Katie said she would add the SQL info to the help page for TLS 1.2 referenced in an earlier post in this thread, but it doesn't look like that has been done yet.

EDIT: clarified with "Clients" in the first sentence.
Jay

Post Reply