Tls 1.0, 1.1 off


#1

Hello, I hereby consult you if it is possible to disable the TLS 1.0 and 1.1 that you offer.

My bank does not allow me to integrate a payment gateway if I do not deactivate the TLS 1.0 and 1.1 protocols

I would like to know if it is possible to disable these protocols


#2

Yes, but that is done on the web server settings or client browser settings.
Which have nothing to do with the cert in use.

Where exactly are the TLS 1.0 and 1.1 found to be on that need to be disabled?


#3

Agreed with @rg305, and I just wanted to point out that it’s kind of nice to see this happening in this particular direction rather than the other direction. (In other cases on the forum, it seemed that banks wanted security to be reduced in some way in order to integrate payment gateways, while in your case they want the security to be increased.)


#4

I know that this is not SSL certificate problem, the server configuration problem, the disadvantage is that shared hosting providers do not want to disable TLS 1.0 and 1.1, and I throw a lot of Lies, saying that it is problem of website code, which is not true.

Do you know what problems you may face if you disable TLS 1.0 and 1.1?


#5

I can’t think of anyone using 1.1 so that’s a non-issue.
However, and sadly, there are still plenty of 1.0 only capable clients out there.
You would need to prefer 1.2 and look in your logs for any 1.0 connections.
Then deal with those clients - like by upgrading them to 1.2 capable browsers.


#6

The practical consequence is reduced browser compatibility, with loss of support for some browsers.

You can see a chart in

that includes specific browser version compatibility. For example, to visit a site that uses only TLS 1.2, a user would need Chrome 30 or later, Firefox 27 or later, Internet Explorer 11 or later, etc.

It is a real security improvement but also a definite loss of browser compatibility. It’s quite possible to imagine that the browser compatibility is a higher priority for many of the shared hosting customers, which might mean that TLS 1.2-only listener should be shifted onto a separate IP address for now. Generally for a shared IP address all sites hosted there will effectively support or not support the same set of TLS protocol versions.


#7

Shared hosting does not mean a forced shared cipher or protocol list.
If your hosting provider is not able to provide individual vhost file configuration they need to upgrade their systems or you need to get another hosting provider.
Just as easy as with specifying individual certs for individual customers, a system can specifying individualized protocols and ciphers for each customer (within their vhost file).
Given: non-SNI capable clients will always have issues - but those issues are inherent to SNI not to differing ciphers nor protocols.

Case in point, I have multiple ciphersuites running without issue in different vhosts on the same IP.


#8

Thank you very much for all the information you gave me, my provider already deactivated TLS protocols 1.0 and 1.1, now I just need my bank approve the payment gateway :slight_smile:


#9

Please point them to:

And let them know that they’ll lose everyone who accepts credit cards as a customer by June 2018 if they do not make this possible. This mandate does not come from your particular credit card processor but from the payment card providers themselves.

I would send them links to https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslprotocol and http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_protocols

And make it crystal clear that I’m really starting to get the feeling that I should look for another hosting provider since it’s becoming apparent that these people aren’t familiar enough with SSL to be trusted with my customer’s personally identifying information. :smiling_imp:


#10

In this case @Krinic said that the bank wanted support for TLS 1.0 and TLS 1.1 to be disabled entirely, not just to have support for TLS 1.2 enabled. On the other hand, I think the link you provided says that PCI expects everyone in the payments industry to be able to do TLS 1.1 or TLS 1.2 by next year. (Ouch, that’s really quite slow. TLS 1.1 will be 12-year-old technology—and already superseded for a decade!—by the time PCI makes it mandatory.)


#11

Well, the PCI standard is not well-known for being at the forefront of security. :relieved:

But they are indeed mandating that old TLS versions be disabled, not just new ones enabled: (emphasis mine)

All entities must cutover to use only a secure version of TLS (as defined by NIST) effective 30 June 2018

The deadline for supporting newer TLS versions was actually in 2016.

I don’t blame you for being confused. Everyone is confused. I am also confused as to whether they find TLS 1.1 to be acceptable. This seems to say it is, but my PCI automated scanning vendor (and the OPs payment gateway) seems to think it is not. Maybe the NIST recommendation changed in the interim? (I’m going to disable it anyway. :wink:)


closed #12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.