Important notice to customers - Required SSL version update

Restriction of the use of Certain Cryptographic Algorithms for Ecommerce customers will be mandated by Direct Payment Solutions from 1 October 2007.

For compliance with Visa/MasterCard PCI DSS certification the use of LOW encryption ciphers is not permitted. Payment Express' servers will only support MEDIUM or HIGH strength ciphers to guarantee transaction security / integrity.

From the 1st October Payment Express will only support SSL version 3.0 or higher. SSL version 2.0 and below will be disabled.

This will affect Shopping cart customers using Non-hosted Payment Pages.

How can I tell if my site will be affected?

On a secure site, you can examine what protocol is in use by clicking "Properties" on the "File" menu. 

Alternatively, you can use Microsoft Fiddler’s “Capture HTTPS CONNECTs” option to view a complete listing of which protocols and encryption algorithms your browser offers and which the server chooses.

1. If your site requires SSLv2, please reconfigure it to permit SSLv3 or TLSv1 connections.
2. Ensure that the hostnames used for your secure pages exactly match the hostname in your digital certificate.  For example, using the certificate for www.example.com on secure.example.com will result in an error page.
3. If your site supports TLS, please ensure that it has a standards-compliant implementation of TLS that does not fail when extensions are present.  Testing for a non-compliant TLS server is as simple as navigating to any HTTPS page on the server using IE7 on Vista Beta 2.  If IE7 fails to connect, TLS extensions are the most likely culprit.

If you are unsure if you will be affected by these changes, please refer to the Support and Knowledgebase Articles below, or speak to your web developer.

Support & Knowledge Base Articles

Apache

Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines:

• SSLProtocol -ALL +SSLv3 +TLSv1
• SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

For Apache/apache_ssl include the following line in the configuration file (httpsd.conf):

• SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Tomcat

• sslProtocol="SSLv3"
• ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA"

IIS

• How to Control the Ciphers for SSL and TLS on IIS (http://support.microsoft.com/default.aspx?scid=KB;en-us;q216482) (IIS restart required)
• How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll (http://support.microsoft.com/default.aspx?scid=kb;EN-US;245030)

(Windows restart required)

• How to disable PCT 1.0, SSL 2.0 in Internet Information Services (http://support.microsoft.com/default.aspx?scid=kb;en-us;187498)

(Windows restart required)

For Novell Netware 6.5

Please refer to the following document

• SSL Allows the use of Weak Ciphers. -TID10100633 (http://support.novell.com/cgi-bin/search/searchtid.cgi?10100633.htm)

cURL library for PHP

The following should be included in your code to force SSL Version 3.0.

• curl_setopt($ch, CURLOPT_SSLVERSION,3);