This bulletin is intended for OpenEdge 3rd Party Partner Integrators who integrate to OpenEdge HostPay (OEHP), Hosted Payment Form (HPF), Direct to Gateway (DTG), or EdgeExpress integration methods.
This bulletin is intended to provide updates on the removal of SSL v3.0, TLS 1.0 and 1.1 and unapproved cipher suites from OpenEdge’s environments.
The Payment Card Industry Security Standards Council (PCI SSC) communicated that Secure Socket Layer version 3.0 (SSL v3.0) has vulnerabilities (i.e., POODLE, Freak, Heartbleed-related compromises) and recommended removal of SSL v3.0 from all payment processing environments (i.e., processors, acquirers, financial institutions, and merchants). Subsequently, the PCI SSC released version 3.1 of the PCI Data Security Standards (PCI DSS) and indicated that some implementations using early versions of Transport Layer Security (TLS, version 1.0) were also vulnerable. The PCI SSC thus mandated the removal of both SSL v3.0 and TLS v1.0 from payment processing environments by June 30, 2016.
Marketplace analysis and estimates showed the removal of both SSL and early TLS could have a major impact on internet-based payment processing environments. Therefore, on December 18, 2015, the PCI SSC announced revisions to the Standards and re-published their “Migrating from SSL and early TLS Information Supplement,” which now mandates the removal of SSL v3.0 and TLS v1.0 by June 30, 2018.
To continually offer the latest technology and to enable PCI DSS compliance for our customers, OpenEdge is discontinuing support of SSL v3.0 TLS 1.0 and 1.1, and related cipher suites in our environments and will:
- Require all applications currently in certification and all new or enhanced applications to support TLS v1.2 and approved TLS 1.2 cipher suites as of January 1, 2018.
- An alternate integrator sandbox that only allows TLS 1.2 connections using one of the approved cipher suites is available now for testing.
- Discontinue support of SSL v3.0, TLS v1.0, and TLS v1.1 in our main partner integrator sandbox as of January 12, 2018.
- Remove SSL v3.0, TLS v1.0, TLS v1.1, and related cipher suites from its Production environments prior to June 2018.
The list of approved cipher suites is as follows:
|Encryption Protocol||Cipher Suite||Key Exchange||Encryption||Hash Function for PRF|
SSL 3.0, TLS 1.0, TLS 1.1, and related Cipher Suite Removal – Research and Remediate Prior to March 31, 2018:
- A partner integration change may be needed depending on how the integrating partner is handling communications to the OpenEdge Gateway. The partner integrator is responsible for handling communication to the OpenEdge Gateway and is responsible for ensuring TLS 1.2 and cipher compatibility.
- It is critical that you make it a priority to confirm compatibility of your software with TLS 1.2 by sending test transactions through our Partner testing environment which has been locked down to only accept TLS 1.2 connections.
- After you have attempted test transactions, we request that you click here to complete a short survey notifying us of your results.
- Your compliant solution must be in market by March 31, 2018.
|NIST Special Publication 800-131A Revision 1 Transition: Recommendation for Transition the Use of Cryptographic Algorithms and Key Lengths||http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf|
|NIST Special Publication 800-108 Recommendation for Key Derivation Using Pseudorandom Functions||http://csrc.nist.gov/publications/nistpubs/800-108/sp800-108.pdf|
|NIST Special Publication 800-57 Part 3 Revision 1 Recommendation for Key Management||http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57Pt3r1.pdf|
|NIST Special Publication 800-52 Revision 1 Guidelines for the Selection, Configuration, and Use of Transport Layer (TLS) Implementations||http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf|
|NIST Special Publication 800-38B Recommendation for Block Cipher Modes of Operation: The CMAC Mode for Authentication||http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf|
|NIST Special Publication 800-38C Recommendation for Block Cipher Modes of Operation: The CCM mode for Authentication and Confidentiality||http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C_updated-July20_2007.pdf|
|NIST Special Publication 800-38D Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC||http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf|
|NIST Special Publication 800-38F Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping||http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-38F.pdf|
|FIPS PUB 186-4 Digital Signature Standard (DSS)||http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf|
|Payment Card Industry (PCI) Data Security Standard 3.0||https://www.pcisecuritystandards.org/security_standards/index.php|
|Payment Card Industry (PCI) Data Security Standard 3.1||https://www.pcisecuritystandards.org/security_standards/index.php|
|RFC 6979 Deterministic Usage of Digital Signature Algorithm (DSA) and Elliptical Curve Digital Signature Algorithm (ECDSA)||https://tools.ietf.org/html/rfc6979|
|PCI Security Standards Council – Blog Date Change for Migrating from SSL and Early TLS||https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls|
|PCI Security Standards Council – Bulletin on Migrating from SSL and Early TLS||https://cdn2.hubspot.net/hubfs/281302/Resources/Migrating_from_SSL_and_Early_TLS_-v12.pdf|