Date:
1/11/2018
Bulletin No.:
PCB.11302017.002
Technical Bulletin: Deprecation of SSL 3.0, TLS 1.0, TLS 1.1 & Unapproved Ciphers from OpenEdge Environments

Integrator & Merchant Impacts Present – Immediate Action Required

Intended Audience:

This bulletin is intended for OpenEdge 3rd Party Partner Integrators who integrate to OpenEdge HostPay (OEHP), Hosted Payment Form (HPF), Direct to Gateway (DTG), or EdgeExpress integration methods.

This bulletin is intended to provide updates on the removal of SSL v3.0, TLS 1.0 and 1.1 and unapproved cipher suites from OpenEdge’s environments.

Overview:

The Payment Card Industry Security Standards Council (PCI SSC) communicated that Secure Socket Layer version 3.0 (SSL v3.0) has vulnerabilities (i.e., POODLE, Freak, Heartbleed-related compromises) and recommended removal of SSL v3.0 from all payment processing environments (i.e., processors, acquirers, financial institutions, and merchants). Subsequently, the PCI SSC released version 3.1 of the PCI Data Security Standards (PCI DSS) and indicated that some implementations using early versions of Transport Layer Security (TLS, version 1.0) were also vulnerable. The PCI SSC thus mandated the removal of both SSL v3.0 and TLS v1.0 from payment processing environments by June 30, 2016.

Marketplace analysis and estimates showed the removal of both SSL and early TLS could have a major impact on internet-based payment processing environments. Therefore, on December 18, 2015, the PCI SSC announced revisions to the Standards and re-published their “Migrating from SSL and early TLS Information Supplement,” which now mandates the removal of SSL v3.0 and TLS v1.0 by June 30, 2018.

To continually offer the latest technology and to enable PCI DSS compliance for our customers, OpenEdge is discontinuing support of SSL v3.0 TLS 1.0 and 1.1, and related cipher suites in our environments and will:

  • Require all applications currently in certification and all new or enhanced applications to support TLS v1.2 and approved TLS 1.2 cipher suites as of January 1, 2018.
  • An alternate integrator sandbox that only allows TLS 1.2 connections using one of the approved cipher suites is available now for testing.
  • Discontinue support of SSL v3.0, TLS v1.0, and TLS v1.1 in our main partner integrator sandbox as of January 12, 2018.
  • Remove SSL v3.0, TLS v1.0, TLS v1.1, and related cipher suites from its Production environments prior to June 2018.

The list of approved cipher suites is as follows:

Encryption Protocol Cipher Suite Key Exchange Encryption Hash Function for PRF
TLS 1.2 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE AES_256_GCM SHA-384
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDHE AES_256_GCM SHA-384
TLS 1.2 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ECDHE AES_256_CBC SHA-384
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDHE AES_256_CBC SHA-384
TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE AES_256_CBC SHA

Immediate Action Required

SSL 3.0, TLS 1.0, TLS 1.1, and related Cipher Suite Removal – Research and Remediate Prior to February 28, 2018:

  • A partner integration change may be needed depending on how the integrating partner is handling communications to the OpenEdge Gateway. The partner integrator is responsible for handling communication to the OpenEdge Gateway and is responsible for ensuring TLS 1.2 and cipher compatibility.
  • It is critical that you make it a priority to confirm compatibility of your software with TLS 1.2 by sending a test transaction using a host file override. Please click here for instructions on how to edit your host file to send a transaction to the alternate processing URL. There are instructions for Windows® 7 and Windows 8, 8.1 and 10 and Mac OS X
  • After you have attempted test transactions, we request that you click here to complete a short survey notifying us of your results.
  • If your software is unable to send a test transaction via the alternate processing IP, you will need to include a new Innovo library in your solution and retest to ensure you can successfully process a test transaction. You can request the updated library by sending an email to developerservices@openedgepay.com. If your software is a deployed or distributed solution, we can assist merchants with the library update, as necessary.
  • Your compliant solution must be in market by February 28, 2018.

References:

Document Title URL
NIST Special Publication 800-131A Revision 1 Transition: Recommendation for Transition the Use of Cryptographic Algorithms and Key Lengths http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf
NIST Special Publication 800-108 Recommendation for Key Derivation Using Pseudorandom Functions http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf
NIST Special Publication 800-57 Part 3 Revision 1 Recommendation for Key Management http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf
NIST Special Publication 800-52 Revision 1 Guidelines for the Selection, Configuration, and Use of Transport Layer (TLS) Implementations http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf
NIST Special Publication 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf
NIST Special Publication 800-38C Recommendation for Block Cipher Modes of Operation: The CCM mode for Authentication and Confidentiality http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf
NIST Special Publication 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
NIST Special Publication 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf
FIPS PUB 186-4 Digital Signature Standard (DSS) http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf
Payment Card Industry (PCI) Data Security Standard 3.0 https://www.pcisecuritystandards.org/security_standards/index.php
Payment Card Industry (PCI) Data Security Standard 3.1 https://www.pcisecuritystandards.org/security_standards/index.php
RFC 6979 Deterministic Usage of Digital Signature Algorithm (DSA) and Elliptical Curve Digital Signature Algorithm (ECDSA) https://tools.ietf.org/html/rfc6979
PCI Security Standards Council – Blog Date Change for Migrating from SSL and Early TLS https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls
PCI Security Standards Council – Bulletin on Migrating from SSL and Early TLS https://cdn2.hubspot.net/hubfs/281302/Resources/Migrating_from_SSL_and_Early_TLS_-v12.pdf