How to Upgrade deprecated SSL/old TLS to compliant version 1.2


Overview

The PCI Security Standards Council was founded in 2006 by major credit card providers including American Express, Discover, JCB International, MasterCard, and Visa.  This organization prepares and promotes standards for the security of cardholder data. All of the member credit card brands share equally in the governance and execution of the council’s work.


A change happened on June 30, 2018

PCI DSS set a deadline of June 30, 2018 for deprecating SSL/old TLS on e-Commerce website and payment gateways as an acceptable standard for the encryption of credit card transaction data. Now, PCI DSS standards accept only TLS 1.2 for e-Commerce site and payment gateways transaction processing.


Why deprecate SSL/old TLS?

There are a number of reasons why we should stop using older SSL protocols,  but the most important are:

  • These protocols have several vulnerabilities. For example POODLE and BEAST are methods used by attackers to leverage exploits in order to obtain credit card information and perform unauthorized charges
  • Merchants that do not adopt TLS 1.2, and keep using SSL/old TLS, will be unable to process transactions or connect to the payment gateway service.

What should you do?

Prepare a Risk Mitigation and Migration Plan - We recommend that you review the official PCI Security Standards Council document on this topic, called Guidance for Migrating from SSL and Early SSL.Then take the following steps, depending on what programming technology your web site uses.


Java

Are you running Java applications(Tomcat, JBoss, Wildfly, etc)? - To meet the latest PCI DSS standards for your Java application you must use JDK 1.8 or later. This will use TLS 1.2 as default and you don’t have to make custom changes in the JDK installation. TLS 1.2 first appeared in JDK 7, however, it comes disabled by default and you have to perform a series of changes for this to become enabled.

TLS is backwards-compatible. After upgrading the default to 1.2, systems using 1.1 and 1.0 will continue to function, so if any of your processing requires 1.0 and 1.1, it will remain available. Nevertheless, it’s recommended that your developers upgrade your code to run on TLS 1.2 only.

If you would like to know more about JDK 1.8 and TLS 1.2 read this official article.

How to upgrade to JDK 1.8 on server with ISPmanager 5

  1. Login to ISPmanager > Go to Settings
  2. Click on Features > click on the old JDK java version running -> Uninstall
    Wait until the uninstall process completes
  3. Click on JDK 1.8 and install it


How to upgrade to JDK 1.8 on server with ISPmanager 4

  1. Login to ISPmanager > Go to Settings
  2. Click on Features > click on the old JDK java version running -> Uninstall
    Wait until the uninstall process completes
  3. Go to Tools > Shell-client (You can connect via SSH instead)
  4. Run the commands:
    yum install java 1.8 -> Then press [Y] when it asked you to proceed

Please make sure to involve your developers before applying these changes since coding adjustments might be needed in case your application doesn’t support JDK 1.8 since some functionalities or java classes might be updated.

PHP and other technologies that run on Apache


Are you running a regular Apache, Database website (Wordpress, Joomla, Drupal, HTML5/CSS/Jquery/JavaScript)?

In order for you to meet current PCI DSS standards you must run on OpenSSL 1.0.2 and Curl 7.34 or later. However, we recommend that you use Curl 7.58, which will use TLS 1.2 as default. TLS 1.2 first appeared in OpenSSL 1.0.0h and 1.0.1 and Curl 7.18 However, it comes disabled by default and you have to perform a series of changes to become enabled.

TLS is backwards-compatible. After upgrading the default to 1.2, systems using 1.1 and 1.0 will continue to function, so if any of your processing requires 1.0 and 1.1, it will remain available. Nevertheless, it’s recommended that your developers upgrade your code to run on TLS 1.2 only.

How to upgrade to OpenSSL 1.02 and Curl 7.58 on servers with ISPmanager 4 or 5

1. Login to ISPmanager > Go to Tools > Shell-client (You can connect via SSH instead)
2. Run the commands:

rpm -qa |grep openssl -> This will show you the version it’s running
rpm -qa |grep curl -> This will show you the version it’s running


If you’re already on: openssl-1.0.2k-12.el7.x86_64 and curl-7.58.0-7.0.cf.rhel7.x86_64 or later, you can stop here.


3. We will proceed to Upgrade OpenSSL by running:


yum update openssl -> Then press [Y] when it asked you to proceed


4. We will proceed to Upgrade Curl by running:


cd /tmp/ && wget http://www.city-fan.org/ftp/contrib/yum-repo/city-fan.org-release-2-1.rhel6.noarch.rpm
rpm -Uvh city-fan.org-release-2-1.rhel6.noarch.rpm
yum --enablerepo=city-fan.org update curl -> Then press [Y] when it asked you to proceed


Make sure you upgrade the SSL Cipher Suite once you perform all the upgrade to something similar to this:

SSLProtocol -SSLv2 -SSLv3 -TLSv1 +TLSv1.2  +TLSv1.1
SSLCipherSuite EECDH:+AES256:-3DES:RSA+AES:!NULL:!RC4


Keep in mind we also have a service called “Security Optimization for Apache Web Server” and we can help you to get an A+ on your SSL cipher and security.

If you’re running CentOS 5, please contact support@eapps.com since your server is already EOL and needs to be migrated to a newest CentOS 7 64bit

If you are not sure how to do this, please contact eApps Support - support@eapps.com

Official PCI DSS documentation


Comments

Please login to comment