Judy, do you know if that info was on a UPS web page, in an email from UPS, or a verbal communication from UPS?

Thanks for that info Judy.

After some very brief research, it seems like Server 2012 can only do two of the four:
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256

So I am getting UPS rates again after adding the following to the list of ciphers in my original Functions key in the HKLM\Software\Policies\Microsoft\Cryptography\Configuration\SSL\00010002 branch of the registry:


I also made some other additions to the registry, but not sure if they were necessary:
1. Added same two ciphers to the Functions key in HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002.
2. Added same two ciphers to the Functions key in HKLM\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\Default\00010002.
3. Copied the corresponding HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\Default\00010002\TLS... sub-keys and values for those two ciphers from my 2019 server.

I tried setting up the other two Judy listed the same way, but they still aren't getting sent as options to the UPS server in the TLS Client Hello packets.

So if you aren't using Server 2012's TLS defaults (because you've modified it manually or with a tool like IISCrypto), I guess you have to make sure you include at least one of the two ciphers I named above.

Interesting conversation, we are not experiencing this problem, but we are running on a server 2016 version. Do you guys think this problem just pertains to older Windows servers?

Thanks,
-Ray

What version of Windows Server?
I guess I would suggest using a capture tool like WireShark, and see if the TLS 1.2 Client Hello packet your server is sending out is including any of those 4 ciphers.
If not, maybe check the other registry entries I mentioned a few posts up and see if adding/changing them helps.

As the previous post suggests, UPS is saying they only support the following 4 ciphers now:
o ECDHE-RSA-AES256-GCM-SHA384
o ECDHE-RSA-AES128-GCM-SHA256
o DHE-RSA-AES256-GCM-SHA384
o DHE-RSA-AES128-GCM-SHA256

Most of our servers are running Windows 2012 R2 and do NOT have the first 2 ciphers available (Windows 2016 and 2019 DO have them). We also use the Nartac IISCrypto tool to set the protocols for PCI compliance and they turn OFF those bottom 2 ciphers on Windows 2012 R2. Turning them on seems to make AbleCommerce work again (although honestly it's been intermittent for us so not sure if this is truly "fixed" or not). Anybody know if PCI security scans will now flag the server as having issues now that those 2 are enabled?

I'm trying to escalate this within UPS but not sure if I'll be successful. The tech I spoke with indicated they've fielded a ton of calls on this since they enabled it 3 days ago (10/25/2021).

Compunerdy, what did you finally do to fix it? We are still having issues on Win 2008 servers. Win 2012 ones are fixed now by networking.
Just a note, I switched one of the problem sites on Win 2008 to use test mode and got rates, but switched it back again since I didn't know if the rates were different. That merchant has not reported an issue yet because they have other shipping methods, but we are being pro-active and checking all sites that use UPS.

By checking the linked pages on this Microsoft page, it looks like you need at least Server 2008 R2 to use these two:
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
and at least Server 2016 to use these two:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

I've seen few of these SSL errors popping up again over the last month or so. One or two per week, not constantly like before. Anyone else noticed this? I haven't seen anything official from UPS about additional changes, but they didn't announce anything last time either. I'm hoping they just have one of the servers in their server farm configured incorrectly.

Yes, in the AbleCommerce error log.