cancel
Showing results for 
Search instead for 
Did you mean: 

Configuring Magento 1.9.3.1 to use TLS 1.2 (not less)

SOLVED

Configuring Magento 1.9.3.1 to use TLS 1.2 (not less)

As PCI DSS requirements state that all payment systems must disable early TLS by 2018 so Authorize.Net plans to disable TLS 1.0 and TLS 1.1 soon.
What configuration changes are need to CE 1.9.3.1 to ensure it uses TLS 1.2?

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Configuring Magento 1.9.3.1 to use TLS 1.2 (not less)

Re: Configuring Magento 1.9.3.1 to use TLS 1.2 (not less)

Configration to secure your SSL






SSLEngine on SSLOptions +StrictRequire SSLProxyEngine on # Prevent Beast attack SSLHonorCipherOrder on # SSL Compression (CRIME attack) SSLCompression off # HSTS Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; pr$ # PROTOCOL SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

After Test Your SSL Security Level Here: https://www.ssllabs.com/ssltest

Elsner Technologies

View solution in original post

9 REPLIES 9

Re: Configuring Magento 1.9.3.1 to use TLS 1.2 (not less)

I was about to post the very same question on this forum.

Also needing to know.

Re: Configuring Magento 1.9.3.1 to use TLS 1.2 (not less)

Also, need to know what should be done for Magento 1.9.1.1 to update Authorize.net which support latest TLS 1.2.

 

Can someone reply on this please?

 

thanks

Re: Configuring Magento 1.9.3.1 to use TLS 1.2 (not less)

Just test your website if it is TLS 1.2 compliance of this link:

https://www.ssllabs.com/ssltest/analyze.html

Re: Configuring Magento 1.9.3.1 to use TLS 1.2 (not less)

It's not really having to do with Magento, rather apache/nginx. 

 

This may help.

https://serverfault.com/questions/737926/disabling-all-older-versions-of-ssl-in-apache-2-to-force-au...

Re: Configuring Magento 1.9.3.1 to use TLS 1.2 (not less)

Configration to secure your SSL






SSLEngine on SSLOptions +StrictRequire SSLProxyEngine on # Prevent Beast attack SSLHonorCipherOrder on # SSL Compression (CRIME attack) SSLCompression off # HSTS Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; pr$ # PROTOCOL SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

After Test Your SSL Security Level Here: https://www.ssllabs.com/ssltest

Elsner Technologies

Re: Configuring Magento 1.9.3.1 to use TLS 1.2 (not less)

is that code that can be added to the htaccess file or is that server commands. 

Re: Configuring Magento 1.9.3.1 to use TLS 1.2 (not less)

I'm posting here to clarify to others who may come across srshaw3's question above, and Elsner_Tech's response.

 

If you execute the changes as described by Elsner_Tech's reply, it will configure your Magento installation to use TLS version 1.0 thru 1.2. This changes the encryption from the customer's BROWSER to your Magento website.

 

However, it DOES NOT address the real issue asked by srshaw3's question. The question is about the transaction that takes place from the Magento installation using TLS to Authorize.Net. That TLS handshake is not handled by the Apache web server, rather the Zend framework of Magento makes an encrypted connection to Authorize.Net and connects to https://secure.authorize.net/gateway/transact.dll.  That encrypted connection will fail if your installation is not current.

 

In our case, we've discovered it is really dependent on the operating system version. Our CentOS 6.7 will not work, even though the utilities and most of the libraries like libcurl support TLS1.2.  We've found that upgrading libnss and libnss-devel to a new version seems to solve the problem, but did create other problems (broken SSL connections to UPS and USPS).

 

Right now, it's looking like we're going to need to upgrade our version of CentOS to properly support TLS1.2 using the Authorize.Net module and UPS/USPS.  I've read elsewhere that CentOS 6.8 and later will work.

Re: Configuring Magento 1.9.3.1 to use TLS 1.2 (not less)

Hi. I'm having this same issue running CentOS 6.9. I'm wondering if you were able to solve your problem? I've already upgraded my SSL libraries, and the server is supporting TLS1.2 with no problems, but authorize.net connections are still failing. As I understand it, the core issue is with curl. My current version curl (7.19) defaults to TLS1.1. I've tried updating curl to 7.59 using the CityFan repo, but that seems to completely break curl TLS connections.

Re: Configuring Magento 1.9.3.1 to use TLS 1.2 (not less)

Also I forgot to mention - I have another e-commerce site on my server, which is running WooCommerce (WordPress). I'm able to execute authorize.net transactions via WooCommerce with no problems. So in my case, this is definitely an issue with the libraries used by Magento (Zend) and not an operating system issue.