Visa Developer Community

Reducing Risk: TLS 1.2 Mandatory Upgrade Details

Community Manager

“Let security be part of your development practice”

 

What is TLS?

 

TLS stands for “Transport Layer Security.” It provides privacy and data integrity between two communicating applications. It is used to authenticate one or both applications, and protect the confidentiality and integrity of information that passes between them. Overtime, different versions of TLS have been released; TLS 1.2 was released in August 2008, it addresses many vulnerabilities identified in the earlier versions. 

 

Why you need to upgrade?

 

PCI DSS standard version 3.1 has been retired in October 2016 and the new PCI DSS version 3.2 mandates using TLS 1.2 (or higher) protocol and makes all older TLS versions (e.g. SSL v3, TLS 1.0, TLS 1.1) non-compliant. The standard requires the new TLS requirement to be implemented by June 2018.

In preparation for this requirement, Visa plans to disable TLS 1.0 and TLS 1.1. We will be disabling these in Sandbox prior to production to give you an opportunity to test these in Sandbox and ensure you are using the TLS 1.2.

 

Please refer to compatibility guidelines for the most popular Languages and Libraries:

 

Java

Java 1.5 and below does not support TLS 1.2

 

In Java 1.6, TLS 1.2 is not supported in Oracle public updates. It is supported in the business edition starting Oracle java version 6u115 b32.

 

In Java 1.7, TLS1.2 is supported. But it needs to be explicitly enabled by selecting the enabled protocols while creating the SSLSocket & SSLEngine instances.

 

Enable TLS 1.2:

 

Add ( -Dhttps.protocols=”TLSv1.2″ -Djdk.tls.client.protocols=”TLSv1.2″) to Java command line arguments which is used to launch client application. This will allow turning off support for TLS 1.1 and below on the server side completely and will support TLSv1.2.

 

Java client with basic URL connection:

 

java1.png

 

Java client using Apache Http Components client:

 

java2.png

 

Exception in case of incorrect TLS version would be:

 

java3.png

 

Please refer https://blogs.oracle.com/java-platform-group/jdk-8-will-use-tls-12-as-default for more details.

 

Python

Just like Ruby, it is better to update the OpenSSL version. You can test the TLS connectivity with the following code snippet.

 

python1.png

 

Exception in case of incorrect TLS version would be:

 

python2.png

Please refer https://docs.python.org/2/library/ssl.html for more information

Ruby

Ruby uses the system OpenSSL. OpenSSL v0.9.8 will no longer work, but later versions work without any changes required. OpenSSL v1.0.1 supports TLS 1.2 by default. With Ruby 2.0, you can test the connection with this script:

 

 ruby.png

 

Exception in case of incorrect TLS version would be:

ruby2.png

 

Please refer https://github.com/ruby/openssl for more information.

 

OpenSSL

OpenSSL supports TLS1.2 starting 1.0.1. (Source)

 

Curl

Curl supports TLS1.2 starting 7.34.0. Please use the following command to test the connection:

 

curl.png

 

If you have any further questions you can always email us at developer@visa.com

Comments
Newbie
public final class String
extends Object
implements Serializable, Comparable<String>, CharSequence
The String class represents character strings. All string literals in Java programs, such as "abc", are implemented as instances of this class.

Strings are constant; their values cannot be changed after they are created. String buffers support mutable strings. Because String objects are immutable they can be shared. For example:

 

 char data[] = {'a', 'b', 'c'};
     String str = new String(data);
Regular Visitor

For .Net Framework applications ...

You will probably want to upgrade your .Net Framework version to at least 4.5, preferably 4.6, in order to more easily make TLS 1.2 connections.

Then 

using System.Net;
using System.Security.Authentication;


In the function where you make your web request, try:
const SslProtocols _Tls12 = (SslProtocols)0x00000C00;
const SecurityProtocolType Tls12 = (SecurityProtocolType)_Tls12;
ServicePointManager.SecurityProtocol = Tls12;

Newbie

@Nexus_Software - You can refer to this article,
Are there .NET implementation of TLS 1.2?

blogs

Recent Blogs