cancel
Showing results for 
Search instead for 
Did you mean: 

Upcoming TLS 1.2 and 3DES changes on Windows 2008 standard

In a recent "technical update" email from authorize.net we were informed that TLS 1.2 will not be required until Feb 28, 2018 (instead of in September of 2017). It however further indicates that the 3DES Cipher will be retired on September 18th.

Now, our server is running Windows 2008, so the only way to get TLS 1.2 is to upgrade the Windows Server version (we plan to move to Windows 2012).  Given the newly announced delay until TLS 1.2 is required, we were wanting to relax our upgrade schedule to move to Windows 2012 in October, after our busy season is over.

However, what I am trying to verify is if connections from my Windows 2008 server to the production server will work on and after September 18th when Authorize disables the 3DES cipher (but still not require TLS 1.2). Since the sandbox requires TLS 1.2, I am unable to test regarding changes to our ciphers, since the TLS 1.2 requirement that has already been implemented on the sandbox does not allow me to connect to the sandbox regardless.

As such, it seems to me the only way to be sure that we will be able to connect to the live Authorize production server uninterrupted is to go ahead and move our website to a newer version of Windows Server before Sept. 18th, making the extension for the TLS 1.2 requirement until Feb 28th, 2018 sort of meaningless. :)

In other words, the only way for me to be sure my system will be able to talk to the live Authorize production environment after Sept. 18th is to go ahead and upgrade our server so as to be TLS 1.2 compliant by that date, which would then allow me to also test (against the sandbox) whether our server’s ciphers are compliant with your system.

So my questions are:

a)  Is there any super secret way to allow for Windows 2008 "standard" (NOT "R2") to use TLS 1.2?  We are committed to upgrading the server regardless - such an upgrade is long overdue anyway - but if we could "band-aid" until October and upgrade then, that would work out the best for us.

b)  Is there otherwise, without TLS 1.2, a way to ensure that our Windows 2008 server will connect to Authorize after Sept. 18th (when the 3DES cipher is retired from the live Authorize production server) without being able to connect to the sandbox, due to the sandbox rejecting anything not using TLS 1.2?

c)  Any other thoughts/wisdom on my issue?

Thanks, everyone, in advance.

SodaBob
Member
1 ACCEPTED SOLUTION

Accepted Solutions

Good news!

https://blogs.microsoft.com/microsoftsecure/2017/07/20/tls-1-2-support-added-to-windows-server-2008/

also related: https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-s...

 

With regards to 3DES, though, you still want to make sure you're not using that. Your best bet would be to try to figure out what cipher is being used when your server connects to our production system. If it's already not using 3DES, you're fine. If it's using 3DES, make sure you have another supported cipher (from the list here or here), and see if you can force the connection to use that cipher for testing.

View solution in original post

Aaron
All Star
4 REPLIES 4

Good news!

https://blogs.microsoft.com/microsoftsecure/2017/07/20/tls-1-2-support-added-to-windows-server-2008/

also related: https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-s...

 

With regards to 3DES, though, you still want to make sure you're not using that. Your best bet would be to try to figure out what cipher is being used when your server connects to our production system. If it's already not using 3DES, you're fine. If it's using 3DES, make sure you have another supported cipher (from the list here or here), and see if you can force the connection to use that cipher for testing.

Aaron
All Star

Thanks so much!  All the googling me and my server admin did on this topic revealed years worth of "TLS 1.2 is not supported on Windows 2008" posts, and we never saw those articles indicating support was recently added.  I've informed my server admin of this newly added support, and will report back whether we are successful or not.  Thanks very much for your time, Aaron!

Yeah, quite frankly, I'm a little surprised that Microsoft did this instead of pushing 2012 upgrades. But, this TLS 1.2 thing affects a ton of people, so there's a critical mass out there that finally pushed them into offering a solution.

Note!! This will fix a IIS site accessing Authorize.net but by default Windows 2008 still uses an older Cryptographic Service.  This will affect you getting a SHA256 SSL Certificate (instead of SHA1) for your site unless you go through a bunch of steps to update the crypto service or go to a newer Windows Server.

kabutotx
Regular Contributor