AbleCommerce Shopping Cart Software


http://forums.ablecommerce.com/

Authorize.Net TLS 1.2 Requirements

http://forums.ablecommerce.com/viewtopic.php?f=65&t=19130

Page 1 of 2

Authorize.Net TLS 1.2 Requirements

Posted: Mon Sep 25, 2017 11:01 pm
by AbleMods
As you probably know, AuthNet is forcing TLS 1.2 early next year. Currently the Sandbox API is already forcing TLS 1.2 so implementations can be tested ahead of time.

After disabling TLS 1.0 on the web server and rebooting, I was still not able to connect a Gold R12 store to the sandbox. I had to modify the AuthNetCIM provider to force TLS 1.2 using:

Code: Select all

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12; // .NET 4.5
Has this been addressed by Able developers? Can someone else confirm this is the expected behavior and the correct solution?

Re: Authorize.Net TLS 1.2 Requirements

Posted: Mon Sep 25, 2017 11:36 pm
by AbleMods
UPDATE:

What about shipping gateways like UPS or FedEx? Does the Able code support disabling TLS 1.0? Has that been tested?

Re: Authorize.Net TLS 1.2 Requirements

Posted: Tue Sep 26, 2017 1:33 am
by jguengerich
I have the same line in Global.asax as you posted, and I have completely disabled the SSL 3, TLS 1.0 and TLS 1.1 clients on my web server via the registry. UPS and FedEx quotes work fine. Can't comment on other shipping providers, those are the only ones I use.

EDIT: As mentioned in another thread, this also requires the SQL Server the site is using to be at a version and/or SP that supports TLS 1.2.

Re: Authorize.Net TLS 1.2 Requirements

Posted: Tue Sep 26, 2017 1:43 am
by AbleMods
jguengerich wrote:I have the same line in Global.asax as you posted
Hold the phone. You can just slap that in Global.asax? You don't have to modify/recompile each of the individual gateway class libraries??

Re: Authorize.Net TLS 1.2 Requirements

Posted: Tue Sep 26, 2017 1:57 am
by jguengerich
Global.asax is the only place I have it. I have recompiled the CyberSource gateway library for other reasons, but I didn't add it there and it works. Same with FedEx. Not sure how the fact that I disabled SSL / TLS < 1.2 client on the server affects this though.

EDIT: In Global.asax, I put it at the end of the Application_Start function.

Code: Select all

System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;

Re: Authorize.Net TLS 1.2 Requirements

Posted: Tue Sep 26, 2017 2:05 am
by jguengerich
The more I think about it, I added that line in Global.asax before I disabled the lower versions of TLS on the server. Now that I've done that, I might not even need that line in Global.asax, because TLS 1.2 is the only option it has left based on the server configuration. Don't have time to test it though. "If it ain't broke, don't fix it." :)

Re: Authorize.Net TLS 1.2 Requirements

Posted: Tue Sep 26, 2017 10:48 pm
by AbleMods
When I tried disabling TLS 1.0 and 1.1, AuthNet, UPS and FedEx all started failing to communicate.

Re: Authorize.Net TLS 1.2 Requirements

Posted: Wed Sep 27, 2017 2:00 am
by jguengerich
Did you restart the server (or at least IIS) after changing global.asax?

I did also mess with the cipher suites in the registry, but I'm pretty sure that was only to remove old ones that were less secure, not add anything new. Maybe I changed the order, though. Sorry, I should keep better notes :( .

Here's my relevant registry entries, if it helps. This is on Windows Server 2008 R2 Standard.

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\CipherSuites]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:ffffffff

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA"

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]
"Functions"="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA"

Re: Authorize.Net TLS 1.2 Requirements

Posted: Wed Sep 27, 2017 2:21 am
by AbleMods
yea restarting is required for any of these changes.

This is a Server 2012 R2 box. We've been using IISCrypto to make the changes, quite handy.

Re: Authorize.Net TLS 1.2 Requirements

Posted: Wed Sep 27, 2017 2:40 am
by jguengerich
I used IIS Crypto too, but I think at some point there was something that I couldn't specify correctly in whatever version of it was current at the time. I don't remember what it was though - my lack of good notes rears it's head again :).

Re: Authorize.Net TLS 1.2 Requirements

Posted: Wed Sep 27, 2017 2:52 am
by jguengerich
I just noticed in the registry entries I posted that TLS 1.0 client is still enabled. I thought I had disabled everything except 1.2. I guess I have some more testing to do. I will update here if I get it to work w/o TLS 1.0 client enabled.

Re: Authorize.Net TLS 1.2 Requirements

Posted: Wed Sep 27, 2017 3:19 am
by jguengerich
My test environment (my test server communicating with CyberSource, UPS, and FedEx test servers) works OK with just TLS 1.2 enabled in the registry. Probably won't be able to test my production environment until this weekend.

Re: Authorize.Net TLS 1.2 Requirements

Posted: Wed Sep 27, 2017 3:31 am
by AbleMods
Appreciate your updates. This is a challenging scenario which I think will impact a great many systems.

Our mistake has been running the test site on the same physical server as the production site. Makes perfect sense most of the time, until you have to test something like this. Any server-level change impacts both test and production and that's not ideal.

Re: Authorize.Net TLS 1.2 Requirements

Posted: Wed Sep 27, 2017 6:12 am
by sweeperq
Joe, System.Net.ServicePointManager.SecurityProtocol is indeed an application-wide setting that only needs to be set once. We tackled this issue just recently on AC7 (viewtopic.php?f=42&t=19115). There is source code for a test page on that link that will allow you to see which protocols are working.

Re: Authorize.Net TLS 1.2 Requirements

Posted: Wed Sep 27, 2017 9:43 pm
by jmestep
Joe,
When I tried disabling TLS 1.0 and 1.1, AuthNet, UPS and FedEx all started failing to communicate.
If I remember correctly, we ran into the same problem with UPS or Fedex in the spring. As part of a a Paypal TLS 1.2 patch for AC7, I tried putting

Code: Select all

// Enforce the security protocol to TLS 1.2

    System.Net.ServicePointManager.SecurityProtocol = (System.Net.SecurityProtocolType)3072;
into the global.asax in addition to changes in the Paypal dll and I ran into the problem. (TLS 1.2 was enabled on the server already) I never did anymore troubleshooting because it wasn't really necessary in this case and I don't manage the servers- I just took the code out.

Re: Authorize.Net TLS 1.2 Requirements

Posted: Thu Sep 28, 2017 2:47 am
by AbleMods
sweeperq wrote:Joe, System.Net.ServicePointManager.SecurityProtocol is indeed an application-wide setting that only needs to be set once. We tackled this issue just recently on AC7 (viewtopic.php?f=42&t=19115). There is source code for a test page on that link that will allow you to see which protocols are working.
*BAM* that's what I was looking for. Thanks so much for the link!

This forum search blows. I specifically searched for 'authorize.net' (search.php?st=0&sk=t&sd=d&keywords=%2Ba ... 65&start=0 and your thread doesn't even come up in the results. Thus why I posted mine. Sorry for the duplication.

Re: Authorize.Net TLS 1.2 Requirements

Posted: Thu Sep 28, 2017 3:01 am
by jguengerich
This forum search blows. I specifically searched for 'authorize.net' (search.php?st=0&sk=t&sd=d&keywords=%2Ba ... 65&start=0 and your thread doesn't even come up in the results. Thus why I posted mine. Sorry for the duplication.
That's weird, when I click your link I don't see it on the first page of results, but if I type authorize.net in the search box, one of the posts from that thread shows up as the 28th item. I've had problems with search before too; if you only type in 3 characters, you don't get results. Someone pointed me to the search tool at ablecommerce.net.

Re: Authorize.Net TLS 1.2 Requirements

Posted: Thu Sep 28, 2017 3:07 am
by AbleMods
This forum is ancient, really needs replaced. So many technical questions are answered here, the search feature is key to it's usefulness beyond simple conversation.

Re: Authorize.Net TLS 1.2 Requirements

Posted: Thu Sep 28, 2017 4:03 am
by compunerdy
Wow did this post take me down a rabbits hole.. I did get my SSL labs test upgraded to a A though.

Re: Authorize.Net TLS 1.2 Requirements

Posted: Mon Oct 02, 2017 1:54 am
by jguengerich
I had a chance to work on my live site over the weekend. I have just TLS 1.2 in the global.asax file, and now I have only TLS 1.2 Client and Server enabled in the registry. It works fine for CyberSource, UPS, and FedEx. I used WireShark to verify that it is using TLS 1.2 for all 3. I don't remember having to change anything else, and I don't see anything in my (admittedly limited) notes that indicates I did anything else related to forcing everything to use TLS 1.2. I'm not quite sure how to interpret your response to sweeperq's post. Are you saying that your AuthNet is now connecting with TLS 1.2, and UPS / FedEx are connecting with 1.0 or 1.1? Or are they all using TLS 1.2?

Re: Authorize.Net TLS 1.2 Requirements

Posted: Mon Oct 02, 2017 2:44 am
by AbleMods
jguengerich wrote:I'm not quite sure how to interpret your response to sweeperq's post. Are you saying that your AuthNet is now connecting with TLS 1.2, and UPS / FedEx are connecting with 1.0 or 1.1? Or are they all using TLS 1.2?
When I disabled everything but TLS 1.2 on the server, all the gateways failed to communicate. AuthNet, UPS and FedEx all threw Crypto errors. Turned TLS 1.0 and TLS 1.1 back on, rebooted, everything went back to normal.

That was totally unexpected to me. I figured everything would be fine since TLS 1.2 is going up, not down.

I'm going to give the global.asax change a try this week, probably early tomorrow morning. Will update here with my results.

Re: Authorize.Net TLS 1.2 Requirements

Posted: Mon Oct 02, 2017 5:05 pm
by Naveed
Please check this article for "Enabling Support for TLS 1.2" For Able-commerce (all versions):

http://help.ablecommerce.com/faqs/ablec ... ls_1.2.htm

Re: Authorize.Net TLS 1.2 Requirements

Posted: Tue Oct 03, 2017 12:39 am
by AbleMods
Thanks Naveed, that's a good document.

I went the route of updating Global.asax this morning and updated both framework references to 4.6. Disabled TLS 1.0 and 1.1 using IISCrypto and restarted the server.

The site came back up just fine. I tested AuthNet with live information and it processed correctly. Also tested shipping gateways, no problems or error log messages there.

I think we are ok at this point. Will continue to monitor throughout the day. Still no idea why integrated carriers failed last time I did this...maybe it was just a fluke.

Re: Authorize.Net TLS 1.2 Requirements

Posted: Thu Oct 05, 2017 3:55 am
by compunerdy
I did the global.asax to force TLS 1.2 but when I Disabled 1.0 and 1.1 and rebooted the site would not come up.

This is the only error I saw in event viewer..

Code: Select all

Exception information: 
    Exception type: SqlException 
    Exception message: A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The client and server cannot communicate, because they do not possess a common algorithm.)
   at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection)
   at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection)
   at System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection)
   at System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)
   at System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource`1 retry)
   at System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry)
   at System.Data.SqlClient.SqlConnection.Open()
   at NHibernate.Connection.DriverConnectionProvider.GetConnection()
   at NHibernate.Tool.hbm2ddl.SuppliedConnectionProviderConnectionHelper.Prepare()
   at NHibernate.Tool.hbm2ddl.SchemaMetadataUpdater.GetReservedWords(Dialect dialect, IConnectionHelper connectionHelper)
   at NHibernate.Tool.hbm2ddl.SchemaMetadataUpdater.Update(ISessionFactory sessionFactory)
   at NHibernate.Impl.SessionFactoryImpl..ctor(Configuration cfg, IMapping mapping, Settings settings, EventListeners listeners)
   at NHibernate.Cfg.Configuration.BuildSessionFactory()
   at CommerceBuilder.Common.DatabaseConfiguration.get_SessionFactory()
   at CommerceBuilder.Common.DatabaseSessionManager.GetSession()
   at CommerceBuilder.DomainModel.NHibernateHelper.QueryOver[T]()
   at CommerceBuilder.Services.StoreLocator.LocateCurrent()
   at CommerceBuilder.Common.AbleContext.get_Store()
   at CommerceBuilder.UI.AbleCommercePage.InitializeTheme()
   at System.Web.UI.Page.OnPreInit(EventArgs e)
   at System.Web.UI.Page.PerformPreInit()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

The client and server cannot communicate, because they do not possess a common algorithm

Re: Authorize.Net TLS 1.2 Requirements

Posted: Thu Oct 05, 2017 4:01 am
by jguengerich
If you disable TLS 1.0 and 1.1 Clients in the registry, your SQL server will have to support TLS 1.2.

See Microsoft's info here: https://support.microsoft.com/en-us/hel ... sql-server

On another thread, Katie said she would add the SQL info to the help page for TLS 1.2 referenced in an earlier post in this thread, but it doesn't look like that has been done yet.

EDIT: clarified with "Clients" in the first sentence.
All times are UTC-05:00
Page 1 of 2
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/