How to Upgrade deprecated SSL/old TLS to compliant version 1.2
Posted by on 17 July 2018 10:17 AM
|
|
Overview
PCI DSS set a deadline of June 30, 2018 for deprecating SSL/old TLS on e-Commerce website and payment gateways as an acceptable standard for the encryption of credit card transaction data. Now, PCI DSS standards accept only TLS 1.2 for e-Commerce site and payment gateways transaction processing.
There are a number of reasons why we should stop using older SSL protocols, but the most important are:
What should you do?
Are you running Java applications(Tomcat, JBoss, Wildfly, etc)? - To meet the latest PCI DSS standards for your Java application you must use JDK 1.8 or later. This will use TLS 1.2 as default and you don’t have to make custom changes in the JDK installation. TLS 1.2 first appeared in JDK 7, however, it comes disabled by default and you have to perform a series of changes for this to become enabled. TLS is backwards-compatible. After upgrading the default to 1.2, systems using 1.1 and 1.0 will continue to function, so if any of your processing requires 1.0 and 1.1, it will remain available. Nevertheless, it’s recommended that your developers upgrade your code to run on TLS 1.2 only. How to upgrade to JDK 1.8 on server with ISPmanager 5
Please make sure to involve your developers before applying these changes since coding adjustments might be needed in case your application doesn’t support JDK 1.8 since some functionalities or java classes might be updated. PHP and other technologies that run on Apache
In order for you to meet current PCI DSS standards you must run on OpenSSL 1.0.2 and Curl 7.34 or later. However, we recommend that you use Curl 7.58, which will use TLS 1.2 as default. TLS 1.2 first appeared in OpenSSL 1.0.0h and 1.0.1 and Curl 7.18 However, it comes disabled by default and you have to perform a series of changes to become enabled. TLS is backwards-compatible. After upgrading the default to 1.2, systems using 1.1 and 1.0 will continue to function, so if any of your processing requires 1.0 and 1.1, it will remain available. Nevertheless, it’s recommended that your developers upgrade your code to run on TLS 1.2 only. How to upgrade to OpenSSL 1.02 and Curl 7.58 on servers with ISPmanager 4 or 5 1. Login to ISPmanager > Go to Tools > Shell-client (You can connect via SSH instead)2. Run the commands: rpm -qa |grep openssl -> This will show you the version it’s running rpm -qa |grep curl -> This will show you the version it’s running If you’re already on: openssl-1.0.2k-12.el7.x86_64 and curl-7.58.0-7.0.cf.rhel7.x86_64 or later, you can stop here. 3. We will proceed to Upgrade OpenSSL by running: yum update openssl -> Then press [Y] when it asked you to proceed 4. We will proceed to Upgrade Curl by running: cd /tmp/ && wget http://www.city-fan.org/ftp/contrib/yum-repo/city-fan.org-release-2-1.rhel6.noarch.rpm rpm -Uvh city-fan.org-release-2-1.rhel6.noarch.rpm yum --enablerepo=city-fan.org update curl -> Then press [Y] when it asked you to proceed
SSLProtocol -SSLv2 -SSLv3 -TLSv1 +TLSv1.2 +TLSv1.1
If you’re running CentOS 5, please contact support@eapps.com since your server is already EOL and needs to be migrated to a newest CentOS 7 64bit If you are not sure how to do this, please contact eApps Support - support@eapps.com | |
|