Visa Developer Community

Updated Ciphers for Security

Community Manager

Please ensure your systems are updated to Visa Developer's latest security protocol ciphers to minimize disruption to your project.

 

Visa regularly reviews supported encryption standards to provide one of the best encryption protections for our APIs. As part of that commitment, we are deprecating older security protocols (ciphers) that do not meet current industry standards for connecting to our REST APIs.

 

All affected clients have been sent an email. If you received an email notice from Visa Developer, it is because our logs show your project is connecting to our REST APIs using one of the protocols or cipher suites that will be deprecated in VDP Sandbox by January 31, 2019 and in VDP Production in early 2019. Therefore, action is required on your part to help avoid interruption with your Visa Developer service.

 

What is a cipher suite

 

A cipher suite is a collection of encryption algorithms used to establish secure connections. VDP will only support the following protocols and cipher suites for encrypted communication

 

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384  
TLS_RSA_WITH_AES_128_GCM_SHA256  
TLS_RSA_WITH_AES_256_CBC_SHA256   
TLS_RSA_WITH_AES_128_CBC_SHA256   


Impact

 

Emails titled "Please update to Visa Developer's latest security protocols" were sent to account users who are either Owners, Administrators or Developers for each affected account. If you did not receive this email notice, then your account is not affected, and no action is required.

 

If you did receive the email, action is required on your part to help avoid interruption with your Visa Developer service. Support for weak cipher suites will be removed on early 2019 and your project will become incompatible.

 

Take Action

 

Using the steps below, we strongly recommend you immediately test your system to determine if it is compatible with the new security requirements. If the test fails, you will need to plan for upgrading your system and verifying compatibility.

 

  1. TEST: First, check your current system’s compatibility by making API calls to VDP Sandbox environment after February 1, 2019.
  2. UPGRADE: If you are unable to successfully connect to the Sandbox environment, you may need to upgrade your operating system’s security components. You may need to make configuration changes in your application to update the underlying software dependencies.

 

Action: Follow our tips for identifying connection errors and upgrading your environment for compatibility: 

 

Configuring Cipher Suites

 

The following table shows the support in Java 7 and 8 for the cipher suites allowed by Visa.

 

Cipher Suite

Java 7

Java 8

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

No

Yes

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

No

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Yes*

Yes

 

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Yes**

TLS_RSA_WITH_AES_256_GCM_SHA384

No

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

Yes*

TLS_RSA_WITH_AES_128_CBC_SHA256

Yes**


* Unlimited strength crypto policy should be used and the cipher suite should be explicitly enabled.

** The cipher suite should be explicitly enabled

 

If you are using Java 8, you should be able to connect to Visa without any issues.

If you are using Java 7 and are unable to connect to Sandbox environment, follow the instructions below.

 

  • If you are using Java’s HttpsURLConnection for making API calls,
    • If you already have -Dhttps.cipherSuites JVM argument, add TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_RSA_WITH_AES_128_CBC_SHA256 cipher suites to the list, if they are not already present.
    • Else, add the following JVM argument which enables TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 and TLS_RSA_WITH_AES_128_CBC_SHA256 cipher suites in addition to the ones enabled by default in java 7.
-Dhttps.cipherSuites 
=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,SSL_RSA_WITH_RC4_128_MD5,TLS_EMPTY_RENEGOTIATION_INFO_SCSV
  • If you are using Apache HttpClient for making API calls, provide the cipher suites list while constructing SSLConnectionSocketFactory.

SSLContext sslcontext = ...

SSLConnectionSocketFactory sslSocketFactory = new

   SSLConnectionSocketFactory(sslcontext,

        new String[]{"TLSv1.2"},

        new String[]{"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",

                "TLS_RSA_WITH_AES_128_CBC_SHA256",

                "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",

                "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",

                "TLS_RSA_WITH_AES_256_CBC_SHA",

                "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",

                "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",

                "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",

                "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",

                "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",

                "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",

                "TLS_RSA_WITH_AES_128_CBC_SHA",

                "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",

                "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",

                "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",

                "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",

                "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",

                "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",

                "SSL_RSA_WITH_3DES_EDE_CBC_SHA",

                "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",

                "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",

                "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",

                "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",

                "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",

                "TLS_ECDHE_RSA_WITH_RC4_128_SHA",

                "SSL_RSA_WITH_RC4_128_SHA",

                "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",

                "TLS_ECDH_RSA_WITH_RC4_128_SHA",

                "SSL_RSA_WITH_RC4_128_MD5",

                "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"},

        SSLConnectionSocketFactory.getDefaultHostnameVerifier());

CloseableHttpClient httpClient =

   HttpClients.custom()

   .setSSLSocketFactory(sslSocketFactory)

   .build();

 

If you have enabled unlimited strength crypto policy, in the above steps, you can optionally add TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 and TLS_RSA_WITH_AES_128_CBC_SHA256 to the enabled cipher suites list.

 

Troubleshooting TLS issues

 

For troubleshooting TLS issues, you can start your application with -Djavax.net.debug=allargument and make an API call to visa. You will see the following in your logs:

 

*** ClientHello, TLSv1.2

Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256,…] This is the list of cipher suites enabled in your application. This list should include at least one of the cipher suites allowed by visa.

 

*** ServerHello, TLSv1.2

Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 This is the cipher suite chosen for the HTTPS connection and will be one of the visa allowed cipher suites.

 

           3. VERIFY: Once you have made the necessary changes, verify your upgraded system can connect successfully to the same test endpoint.

 

Our normal REST API endpoint already supports the stronger cipher suites, so you can promptly cut over your production traffic once the changes have been verified.

 

If you have any questions or need support, please comment below and we'll help! You also post your question on this forum thread.  We can also help if you reach us via email developer@visa.com or your designated Visa contact.

blogs

Recent Blogs