daknetworks.com

You are here: Blog Payflow TLS 1.2

Payflow TLS 1.2

I had a bunch of notes, but it has been awhile and so some of it is lost I wanted to capture as much as I could.

Basically, Paypal Payflow will only speak TLS 1.2. This is a very good since the security protocol has been around for about 10 years or so.

The protocols listed here are all old:

  • SSL 2.0
  • SSL 3.0
  • TLS 1.0
  • TLS 1.1 (not shown by default)
  • TLS 1.2 (not shown by default)

Of course, TLS 1.2 is the one that is new and should be used.

TLS 1.2 IIS

Now, IIS can both communicate TO something as a SERVER as you would expect. But it can also communicate FROM something as a CLIENT.

This is what happens when interfacing with PAYPAL-PAYFLOW.

Here is the REGEDIT for the security protocols BEFORE the change:

====================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000001

====================

And here is the REGEDIT for the security protocol AFTER the change:

====================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001

====================

As you can see, we disabled all the old protocols and only enabled TLS 1.2.

After this REGEDIT is complete, the change is immediate. Nothing is needed to be restarted except for COLDFUSION-APPLICATION-SERVICE, if you have it.

Cipher Suite Order

By default, the factory default cipher suite order will be used.

You can change the Cipher Suite Order on a Server 2008 or higher. Here's how:

-open GPEDIT.MSC
-navigate to: Computer-Configuration\Administrative-Templates\Network\SSL-Configuration-Settings
-edit: SSL-Cipher-Suite-Order
-the text in the field are the Cipher-Suites being used by the server.
-read the notes.
-edit the list in the order wanted.
-any Cipher-Suites not specified will not be used.

A recommended Cipher Suite list is published here:
https://www.grc.com/miscfiles/SChannel_Cipher_Suites.txt

But that was long ago in a brazenly unaware internet.

Nartac has the default Cipher-Suites and the best-practice Cipher-Suites listed here:
https://www.nartac.com/Products/IISCrypto/FAQ

They also have IIS Crypto software that will graphically display (get) and change (set) the protocols, Cipher-Suites and their order.

The actual location in the Registry is as follows:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002

The location of the Cipher-Suites is here:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

Disabling the following:
NULL
DES
RC2
RC4
3DES

This leaves the following:
AES128
AES256

RDP Cipher Suite

The default RDP Cipher-Suite is RC4. So if RC4 is disabled, you will cut your own chain and will not be able to RDP to the system.

First, let's get some info by setting up logging for the Cipher-Suite.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000007

The default is a value of: 1

Set the value to: 7
This will collect more info.
No need to reboot, the changes are immediate.

Now that the logging is set, SCHANNEL events can be found in the WINDOWS-LOGS > SYSTEM.

Secondly, let's set the RDP to use TLS1.2

-open GPEDIT.MSC
-navigate to: Computer-Configuration\Administrative-Templates\Windows-Components\Remote-Desktop-Services\Remote-Desktop-Session-Host\Security
-edit: "Require use of specific security layer for remote (RDP) Connections"
-set to: NEGOTIATE

This will enforce the most secure method that is supported by the client.

There's also a bug where "TLS 1.0" can be shown even though TLS 1.2 is actually being used:
https://docs.microsoft.com/en-US/troubleshoot/windows-server/remote/incorrect-tls-use-rdp-with-ssl-encryption

ColdFusion Java

ColdFusion might need JAVA to be updated. If so, the files might be here:

JAVA DEFAULT LOCATION that ships with the install:
C:\ColdFusion9\runtime\jre\bin
C:\ColdFusion9\runtime\bin\jvm.config

But this can be change to a customized location. This is specific in:
C:\ColdFusion10\cfusion\bin\jvm.config

Or to find what JAVA ColdFusion is using (java.home), look at the:
https://site.tld/CFIDE/administrator > SETTING-SUMMARY
The value of JAVA HOME will show the path.

In my case, it is in the following:
C:\Program Files\Java\jdk1.8.0_171\jre

I am not a JAVA expert but the JAVA-DEVELOPMENT-KIT (JDK) contains a JAVA-RUNTIME-ENVIRONMENT (JRE).

The overall security file is:
C:\Program Files\Java\jdk1.8.0_171\jre\lib\security\java.security

Open the file with a texteditor and you can read the notes in java.security where it states other security values can be added by looking at the jvm.config from above. In that file are arguments that specify how JAVA is running. The following will specify those values:
Djava.security.properties=<URL>

My additions are:
-Djava.security.manager "-Djava.security.policy=C:\\ColdFusion10\\cfusion\\lib\\coldfusion.policy" "-Djava.security.auth.policy=C:\\ColdFusion10\\cfusion\\lib\\neo_jaas.policy"

-edit java.security
-find the line: jdk.tls.disabledAlgorithms
-add TLS versions that should not be running: TLSv1, TLSv1.1, DES

Change from:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC

Change to:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC, TLSv1, TLSv1.1, DES

Restart ColdFusion Application service.

New error:
"Error","scheduler-0","01/24/22","05:48:46",,"javax.mail.MessagingException: Could not convert socket to TLS; nested exception is: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)"

Debug:
C:\ColdFusion10\cfusion\bin\jvm.config

-add the following to the arguments, at the end:
"-Djavax.net.debug=all"

-restart the ColdFusion service.
-try to send email again.
-view the log at: C:\ColdFusion10\cfusion\logs\coldfusion-out.log

Current Workaround:
-login to the 356 Exchange endpint tenant via powershell.
-run: Set-TransportConfig -AllowLegacyTLSClients $True
-change the smtp endpoint to: smtp-legacy.office365.com

NOTES:
https://www.carehart.org/blog/client/index.cfm/2021/4/26/new_java_updates_for_Java_8_and_11_as_of_Apr_2021
https://www.adobe.com/support/coldfusion/downloads.html#additionalThirdPartyInstallers

Contact Dak Networks

We are not taking on new clients at this time.