TLS 1.2 And VPCart
WHAT IS TLS 1.2 ?
Latest revision of the PCI Security Standards Council policy, PCI-DSS 3.1, establishes a new baseline for strong cryptography - specifically TLS which is required to secure payment card related traffic.
This change must be adopted by sites which handle payment card data no later than 30 June 2016 - (the PCI council have extended this to 30 June 2018). According to the PCI Council FAQ: "The successor protocol to SSL is TLS (Transport Layer Security) and its most current version as of this publication is TLS 1.2," according to the FAQ. "TLS 1.2 currently meets the PCI SSC definition of "strong cryptography". While PCI is specific to payment card information, the PCI guidelines also are used by sites in general for security guidance.
The TLS 1.2 protocol was defined in RFC 5246 in August of 2008. Based on TLS 1.1, TLS 1.2 contains improved flexibility. The major differences include :
- The MD5/SHA-1 combination in the pseudorandom function (PRF) was replaced with cipher-suite-specified PRFs.
- The MD5/SHA-1 combination in the digitally-signed element was replaced with a single hash. Signed elements include a field explicitly specifying the hash algorithm used.
- There was substantial cleanup to the client's and server's ability to specify which hash and signature algorithms they will accept.
- Addition of support for authenticated encryption with additional data modes.
- TLS Extensions definition and AES Cipher Suites were merged in.
- Tighter checking of EncryptedPreMasterSecret version numbers.
- Many of the requirements were tightened
- Verify_data length depends on the cipher suite
- Description of Bleichenbacher/Dlima attack defenses cleaned up.
With attacks on cipher block chaining (CBC) and RC4, it is encouraged that websites also enable TLS 1.2. The benefit is that TLS 1.2 supports expansion of support for authenticated encryption ciphers with AES-GCM cipher suites that are not prone to these attacks.
WHAT DO YOU NEED TO DO ?
1. Ensure that the server where your site is hosted has TLS 1.2 enabled and it should be Windows 2008 R2 or higher.
2. Update the VPCart Software
3. Ensure that the integrated Shipping Interfaces and Payment Gateway Modules are updated with the latest versions. For this, you may download the respective modules/add-ons and upload the files.
A) HOSTING SERVER
1. If you are hosting your site with VPCart Hosting, there is nothing to worry as all our servers are up-to-date with the latest security patches and TLS 1.2 ready.
2. If you are hosting your site elsewhere, you will need to ensure that you are on a Windows 2008 R2 Server or higher and TLS 1.2 has been enabled on the server where your site is being hosted. You may read our article on "How To Enable TLS 1.2 For Your Server?"
B) UPDATING THE VPCART SOFTWARE
1. If your site is using the latest VPCart Version 8.1 or higher, you don't have to worry about anything as our latest software is fully TLS 1.2 ready.
2. If your site is using VPCart Version 8.0.xx and below, you may read up on this article "Upcoming PCI Changes Require Store Updates To Be Applied" on the steps that needs to be undertaken.
C) UPDATING THE ADD-ONS, SHIPPING INTERFACES, AND PAYMENT GATEWAYS
The following add-ons, shipping interfaces, and payment gateways needs to be updated with the latest package (which is TLS 1.2 ready) from our repository.
a) Currency Converter
b) Newsletter module
c) TaxCloud module
d) Temando module
e) UK Post Code Lookup
f) UPS realtime
g) US Postal realtime
h) Fedex realtime
i) Australia Post realtime
j) Canada Post realtime
k) Some of the gateway modules :
l) Authorize Net AIM gateway
m) eWAY Shared Payment gateway
n) eWay Rapid 3.1 Integrated Payment
o) eWay Hosted Payment for NZ/UK
p) Quickbooks gateway
For VPCart Version 9.xx -
a) https://www.vpcart.com/sales/addons900.asp(Shipping Interfaces)
b) https://www.vpcart.com/sales/epdownload900.asp (Payment Gateways)
For VPCart Version 8.xx –
a) http://www.vpasp.com/sales/addons800.asp (Shipping Interfaces)
b) http://www.vpasp.com/sales/epdownload800.asp (Payment Gateways)
For VP-ASP Software Version 7.xx –
a) http://www.vpasp.com/sales/addons700.asp (Shipping Interfaces)
b) http://www.vpasp.com/sales/epdownload700.asp (Payment Gateways)
HOW TO KNOW IF MY BROWSER AND SITE SUPPORTS TLS 1.2 ?
Go to How's My SSL and it will tell you how good your browser is doing and which version of TLS it supports. If your browser does not support TLS 1.2, then this is probably a configuration setting you can turn on.
As for website, you may go to the SSL Labs TLS Checker. This site will give you a grade for your website and will tell you which versions of TLS you support. If you do not support TLS 1.2, your site will not get an A grading. If you do support SSL 2.0, then your site will get an F grading. With users performing these checks, website owners will be encouraged to support the right levels of SSL/TLS protocol.
If you have further questions, you may submit a ticket via HelpDesk.
P.S. : Our TLS 1.2 Modules as well as Shipping Interfaces and Payment Gateway Modules have been updated on May 27th, 2016 to work on sites hosted on Windows 2008 Servers. You might need to download and re-upload the respective modules once again for it to work properly on your sites hosted on Windows 2008 Servers.