logo
Welcome to our new AbleCommerce forums. As a guest, you may view the information here. To post to this forum, you must have a registered account with us, either as a new user evaluating AbleCommerce or an existing user of the application. For all questions related to the older version of Gold and earlier, please go to AbleCommerce Gold forum. Please use your AbleCommerce username and password to Login. New Registrations are disabled.

Notification

Icon
Error

2 Pages<12
Options
Go to last post Go to first unread
Jay  
#21 Posted : Wednesday, October 27, 2021 8:13:54 AM(UTC)
Jay

Rank: Member

Groups: Authorized User, Developers
Joined: 11/12/2018(UTC)
Posts: 25

Thanks: 1 times
Was thanked: 4 time(s) in 3 post(s)
Judy, do you know if that info was on a UPS web page, in an email from UPS, or a verbal communication from UPS?
Compunerdy  
#22 Posted : Wednesday, October 27, 2021 11:09:56 AM(UTC)
Compunerdy

Rank: Newbie

Groups: Authorized User
Joined: 12/4/2018(UTC)
Posts: 8

We have those 4 ciphers enabled and still seeing errors.
Jay  
#23 Posted : Wednesday, October 27, 2021 11:27:19 AM(UTC)
Jay

Rank: Member

Groups: Authorized User, Developers
Joined: 11/12/2018(UTC)
Posts: 25

Thanks: 1 times
Was thanked: 4 time(s) in 3 post(s)
Thanks for that info Judy.

After some very brief research, it seems like Server 2012 can only do two of the four:
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256

So I am getting UPS rates again after adding the following to the list of ciphers in my original Functions key in the HKLM\Software\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 branch of the registry:
Code:
,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256


I also made some other additions to the registry, but not sure if they were necessary:
1. Added same two ciphers to the Functions key in HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002.
2. Added same two ciphers to the Functions key in HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\Default\00010002.
3. Copied the corresponding HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\Default\00010002\TLS... sub-keys and values for those two ciphers from my 2019 server.

I tried setting up the other two Judy listed the same way, but they still aren't getting sent as options to the UPS server in the TLS Client Hello packets.

So if you aren't using Server 2012's TLS defaults (because you've modified it manually or with a tool like IISCrypto), I guess you have to make sure you include at least one of the two ciphers I named above.
judy at Web2Market  
#24 Posted : Wednesday, October 27, 2021 11:33:12 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 303

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
Hoster for client said they did the following and rebooted UPS works now. (Unless its on the working part of intermittment working/not working!)
We have updated the ciphers,
these were already enabled:
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
we just enabled these:
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256

ray22901031  
#25 Posted : Wednesday, October 27, 2021 11:34:41 AM(UTC)
ray22901031

Rank: Advanced Member

Groups: Authorized User, Developers
Joined: 2/17/2019(UTC)
Posts: 909

Thanks: 3 times
Was thanked: 15 time(s) in 15 post(s)
Interesting conversation, we are not experiencing this problem, but we are running on a server 2016 version. Do you guys think this problem just pertains to older Windows servers?

Thanks,
-Ray
Jay  
#26 Posted : Wednesday, October 27, 2021 11:44:02 AM(UTC)
Jay

Rank: Member

Groups: Authorized User, Developers
Joined: 11/12/2018(UTC)
Posts: 25

Thanks: 1 times
Was thanked: 4 time(s) in 3 post(s)
Ray, I think it only pertains to situations where you've restricted Windows Server's TLS configuration (manually or with a tool like IISCrypto) and you haven't included at least one of those 4 ciphers. It seems like if you leave the TLS settings at their defaults, Windows Server 2012 and later can use at least two of those four. Not sure what Server 2008 or earlier could do.
Jay  
#27 Posted : Wednesday, October 27, 2021 11:50:13 AM(UTC)
Jay

Rank: Member

Groups: Authorized User, Developers
Joined: 11/12/2018(UTC)
Posts: 25

Thanks: 1 times
Was thanked: 4 time(s) in 3 post(s)
Originally Posted by: Compunerdy Go to Quoted Post
We have those 4 ciphers enabled and still seeing errors.


What version of Windows Server?
I guess I would suggest using a capture tool like WireShark, and see if the TLS 1.2 Client Hello packet your server is sending out is including any of those 4 ciphers.
If not, maybe check the other registry entries I mentioned a few posts up and see if adding/changing them helps.
Compunerdy  
#28 Posted : Wednesday, October 27, 2021 3:13:59 PM(UTC)
Compunerdy

Rank: Newbie

Groups: Authorized User
Joined: 12/4/2018(UTC)
Posts: 8

Looks like we fixed it. Thanks for all the info on what to do!
development19599897  
#29 Posted : Thursday, October 28, 2021 3:44:27 PM(UTC)
development19599897

Rank: Newbie

Groups: Developers, Authorized User, HelpDesk
Joined: 7/25/2019(UTC)
Posts: 0

As the previous post suggests, UPS is saying they only support the following 4 ciphers now:
o ECDHE-RSA-AES256-GCM-SHA384
o ECDHE-RSA-AES128-GCM-SHA256
o DHE-RSA-AES256-GCM-SHA384
o DHE-RSA-AES128-GCM-SHA256

Most of our servers are running Windows 2012 R2 and do NOT have the first 2 ciphers available (Windows 2016 and 2019 DO have them). We also use the Nartac IISCrypto tool to set the protocols for PCI compliance and they turn OFF those bottom 2 ciphers on Windows 2012 R2. Turning them on seems to make AbleCommerce work again (although honestly it's been intermittent for us so not sure if this is truly "fixed" or not). Anybody know if PCI security scans will now flag the server as having issues now that those 2 are enabled?

I'm trying to escalate this within UPS but not sure if I'll be successful. The tech I spoke with indicated they've fielded a ton of calls on this since they enabled it 3 days ago (10/25/2021).
Jay  
#30 Posted : Thursday, October 28, 2021 3:51:41 PM(UTC)
Jay

Rank: Member

Groups: Authorized User, Developers
Joined: 11/12/2018(UTC)
Posts: 25

Thanks: 1 times
Was thanked: 4 time(s) in 3 post(s)
I don't know if PCI scans will flag it or not. Obviously, UPS handled this very poorly. They should have put out lots of warnings way ahead of time, like they did when they switched to TLS 1.2 only. They still have this page on their web site (although it doesn't look like there is a link to it from anywhere), which has a longer list of ciphers.
judy at Web2Market  
#31 Posted : Friday, October 29, 2021 6:59:20 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 303

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
Compunerdy, what did you finally do to fix it? We are still having issues on Win 2008 servers. Win 2012 ones are fixed now by networking.
Just a note, I switched one of the problem sites on Win 2008 to use test mode and got rates, but switched it back again since I didn't know if the rates were different. That merchant has not reported an issue yet because they have other shipping methods, but we are being pro-active and checking all sites that use UPS.
Compunerdy  
#32 Posted : Friday, October 29, 2021 11:10:00 AM(UTC)
Compunerdy

Rank: Newbie

Groups: Authorized User
Joined: 12/4/2018(UTC)
Posts: 8

We just made sure that the following suites are enabled in IIS Crypto

https://media.discordapp...313863340122/unknown.png

Use Wireshark to ensure they are enabled by scanning a Client Hello packet to UPS servers

https://media.discordapp...396220280852/unknown.png

https://media.discordapp...649308758046/unknown.png

Edited by user Friday, October 29, 2021 11:12:26 AM(UTC)  | Reason: Not specified

Jay  
#33 Posted : Friday, October 29, 2021 12:57:47 PM(UTC)
Jay

Rank: Member

Groups: Authorized User, Developers
Joined: 11/12/2018(UTC)
Posts: 25

Thanks: 1 times
Was thanked: 4 time(s) in 3 post(s)
By checking the linked pages on this Microsoft page, it looks like you need at least Server 2008 R2 to use these two:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
and at least Server 2016 to use these two:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
judy at Web2Market  
#34 Posted : Monday, November 1, 2021 6:08:16 AM(UTC)
judy at Web2Market

Rank: Advanced Member

Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 303

Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
Thanks for all the info. I believe all the sites are working OK now. For the two on the Win 2008 server, the final issue with them was that they hadn't changed to the correct rating url in the admin at any time in the past.
Jay  
#35 Posted : Monday, February 7, 2022 1:16:01 PM(UTC)
Jay

Rank: Member

Groups: Authorized User, Developers
Joined: 11/12/2018(UTC)
Posts: 25

Thanks: 1 times
Was thanked: 4 time(s) in 3 post(s)
I've seen few of these SSL errors popping up again over the last month or so. One or two per week, not constantly like before. Anyone else noticed this? I haven't seen anything official from UPS about additional changes, but they didn't announce anything last time either. I'm hoping they just have one of the servers in their server farm configured incorrectly.
Joe Payne @ Solunar  
#36 Posted : Monday, February 7, 2022 2:14:18 PM(UTC)
Joe Payne @ Solunar

Rank: Member

Groups: Developers, Registered, HelpDesk
Joined: 11/7/2018(UTC)
Posts: 23

Thanks: 5 times
"popping up again" where? The able error log?

We haven't seen any errors, but our able error log is so polluted with junk errors that's it hard to find one that matters. We may have simply missed them.
Joe Payne, AbleMods Hosting LLC
https://www.ablemodshosting.com
Jay  
#37 Posted : Monday, February 7, 2022 2:26:07 PM(UTC)
Jay

Rank: Member

Groups: Authorized User, Developers
Joined: 11/12/2018(UTC)
Posts: 25

Thanks: 1 times
Was thanked: 4 time(s) in 3 post(s)
Yes, in the AbleCommerce error log.
Users browsing this topic
Guest (30)
2 Pages<12
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.