Rank: Member
Groups: Authorized User, Developers
Joined: 11/12/2018(UTC)
Posts: 25
Thanks: 1 times
Was thanked: 4 time(s) in 3 post(s)
|
Has anyone else had intermittent problems retrieving some UPS rates since yesterday afternoon? I'm getting some "Exception: The request was aborted: Could not create SSL/TLS secure channel. Stack Trace: ...(etc.)" errors, but not consistently.
|
|
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472
Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
|
Hi Jay, Did you happen to see this information in our last newsletter? Please let us know which rating URL you've been using. They might be having some temporary service problems. Unfortunately, they are not real great at notifying their customers. Sometimes, I check this site: https://downdetector.com/status/ups/Although, I'm not sure how accurate it is. Thanks, Katie |
Thanks for your support!
Katie
Secure eCommerce Software and Hosting |
|
|
|
|
|
Rank: Member
Groups: Authorized User, Developers
Joined: 11/12/2018(UTC)
Posts: 25
Thanks: 1 times
Was thanked: 4 time(s) in 3 post(s)
|
|
|
|
|
|
|
Rank: Member
Groups: Authorized User, Developers
Joined: 11/12/2018(UTC)
Posts: 25
Thanks: 1 times
Was thanked: 4 time(s) in 3 post(s)
|
Is there any way to adjust the timeout for the UPS requests?
|
|
|
|
|
|
Rank: Member
Groups: Authorized User, Developers
Joined: 11/12/2018(UTC)
Posts: 25
Thanks: 1 times
Was thanked: 4 time(s) in 3 post(s)
|
Additional Info: I'm still live on GOLD, but I posted here out of habit. Someone mentions seeing the same errors on the old forums here. I continued to see these errors intermittently yesterday, and once so far this morning. I did eventually reproduce on my GOLD test site, but I tried a few times this morning on my v 9 test site and didn't get any errors. However, since it is intermittent, I don't know if that points to something specific in GOLD or not. Also, my GOLD sites are on Windows Server 2012 and my v 9 test site is on Windows Server 2019. I suppose that could make a difference also?
|
|
|
|
|
|
Rank: Advanced Member
Groups: HelpDesk, Developers
Joined: 11/9/2018(UTC)
Posts: 564
Thanks: 122 times
Was thanked: 26 time(s) in 25 post(s)
|
I've seen multiple times in the past where UPS rates would either fail to return results, or be significantly delayed (> 30 seconds). The last outage I can recall lasted 3-4 days before UPS fully resolved it.
Sometimes it's UPS themselves. Other times it's the internet routes between your web server and their API endpoints. Once our twice we've even called the UPS account rep only to find out they weren't even aware of a systemwide outage. Until we called them <eyeroll>
|
|
|
|
|
|
Rank: Member
Groups: Authorized User, Developers
Joined: 11/12/2018(UTC)
Posts: 25
Thanks: 1 times
Was thanked: 4 time(s) in 3 post(s)
|
Another possibility I thought of is that some of UPS' servers don't have the correct cipher suites set up for TLS 1.2 (due to some maintenance on they did), and it is intermittent because sometimes the request hits one of those servers. I ran IISCrypto on my server and compared the active cipher suites to UPS' list at https://www.ups.com/us/en/help-center/technology-support/data-security.page, and it looks like my server has multiple ones that match. Still hoping it is something that gets resolved on their end. We'll probably call our UPS rep on Monday if it is still happening then.
|
|
|
|
|
|
Rank: Advanced Member
Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 303
Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
|
Thanks for that info. We see intermittent UPS errors RE TLS and this info is helpful to explain it.
|
|
|
|
|
|
Rank: Member
Groups: Authorized User, Developers
Joined: 11/12/2018(UTC)
Posts: 25
Thanks: 1 times
Was thanked: 4 time(s) in 3 post(s)
|
This has now become a serious problem. We're not getting any results from UPS. It appears that their servers are not finding any common TLS cipher suites, so we're not getting any rates from UPS. My AC 9 test server, using Windows Server 2019, doesn't seem to have a problem, but my live AC Gold server, using Windows Server 2012, isn't getting any UPS rates. However, it is offering multiple cipher suites that UPS says it supports. I'm going to try contacting UPS.
|
|
|
|
|
|
Rank: Advanced Member
Groups: HelpDesk, Developers
Joined: 11/9/2018(UTC)
Posts: 564
Thanks: 122 times
Was thanked: 26 time(s) in 25 post(s)
|
Depending your version of Able Gold, you may need to force ASP.Net to use TLS 1.2. Have you done that?
|
|
|
|
|
|
Rank: Member
Groups: Authorized User, Developers
Joined: 11/12/2018(UTC)
Posts: 25
Thanks: 1 times
Was thanked: 4 time(s) in 3 post(s)
|
Yes, I've had it set to force using TLS 1.2 for quite a while, same with using the new URL. I can see the TLS 1.2 traffic using Wireshark, and my Client Hello packets are offering several cipher suites that UPS claims they support, but their server is responding that it can't create the TLS connection. Thanks for the suggestion though.
|
|
|
|
|
|
Rank: Advanced Member
Groups: HelpDesk, Developers
Joined: 11/9/2018(UTC)
Posts: 564
Thanks: 122 times
Was thanked: 26 time(s) in 25 post(s)
|
You've got it covered deeper than I have.
I just took a call from an account reporting same - UPS rates not coming back. Error log reports "The request was aborted: Could not create SSL/TLS secure channel"
It's definitely a TLS/Cypher issue, I've seen that error enough to be certain. Since TLS either works or doesn't work, my guess is UPS has fiddled with their cypher suites. Or their edge server proxies are messing up encryption in general.
Yet I've got another account UPS works just fine. Both are Server 2019. Both are .Net 4.8 framework targeted. Both have IISCrypto settings match. I even matched the live/dev urls to make sure they're the same as well.
|
|
|
|
|
|
Rank: Advanced Member
Groups: HelpDesk, Developers
Joined: 11/9/2018(UTC)
Posts: 564
Thanks: 122 times
Was thanked: 26 time(s) in 25 post(s)
|
Annnnnd checked another account, same 2019 server. They're not getting UPS rates either.
|
|
|
|
|
|
Rank: Member
Groups: Authorized User, Developers
Joined: 11/12/2018(UTC)
Posts: 25
Thanks: 1 times
Was thanked: 4 time(s) in 3 post(s)
|
So I compared my test AC 9 / Windows Server 2019 server, which I haven't used IISCrypto on yet, with my test and live AC Gold / Windows Server 2012 servers, which I did use IISCrpyto on. The registry key HKLM/Software/Policies/Microsoft/Cryptography/Configuration/SSL/00010002 didn't have any values on the 2019 server, but it had a Functions key with a bunch of cipher suites on the 2012 server. On my test 2012 server, I removed the Functions key and rebooted, and now UPS' servers complete the TLS connections and return rates. So I did the same on my live 2012 server, and I am getting rates again. FedEx and CyberSource connections are also still working. OBLIGATORY WARNING: YOUR RESULTS MAY VARY - IF YOU TRY WHAT I DID YOU MAY NOT GET THE SAME RESULTS AND YOUR SITE MAY NOT WORK! My server is sending different cipher suite options now, and UPS' server is choosing a different cipher suite for my connection now than it did when it was intermittently working yesterday. I haven't dug into the details, but that could be because the one it was able to use sometimes yesterday is not in the list my server is sending now (i.e. I haven't checked to see if there is any overlap in yesterday's list versus today's). I also haven't checked to see which of the options my server is offering are still considered "safe". I'm not too worried for the short term, because we use CyberSource's Secure Acceptance hosted form, meaning the customer's card info goes directly from their browser to CyberSource's servers, and we only get a token back. Edited by user Tuesday, October 26, 2021 2:40:07 PM(UTC)
| Reason: Not specified
|
|
|
|
|
|
Rank: Advanced Member
Groups: HelpDesk, Developers
Joined: 11/9/2018(UTC)
Posts: 564
Thanks: 122 times
Was thanked: 26 time(s) in 25 post(s)
|
The Functions key (to my knowledge) is where Microsoft stores the list of acceptable cypher suites. So by deleting it, you basically just enabled all cypher suites available. Is that your thought as well?
|
|
|
|
|
|
Rank: Member
Groups: Authorized User, Developers
Joined: 11/12/2018(UTC)
Posts: 25
Thanks: 1 times
Was thanked: 4 time(s) in 3 post(s)
|
Yes, that's what I'm thinking as well. I know there are several other registry entries that IISCrypto changes (or that are related to TLS but aren't changes by IISCrypto). However, since I tried this first and it helped, I haven't spent time digging into the gory details for now.
|
|
|
|
|
|
Rank: Advanced Member
Groups: HelpDesk, Developers
Joined: 11/9/2018(UTC)
Posts: 564
Thanks: 122 times
Was thanked: 26 time(s) in 25 post(s)
|
LOL I know the feeling....
|
|
|
|
|
|
Rank: Advanced Member
Groups: System, Administrators, Developers, Registered, HelpDesk
Joined: 10/29/2018(UTC)
Posts: 472
Thanks: 4 times
Was thanked: 34 time(s) in 33 post(s)
|
Quote:I'm still live on GOLD, but I posted here out of habit. Someone mentions seeing the same errors on the old forums Hi Jay, I created a new forum category for Gold here in this forum. It's just too hard to remember to check both places. So the old forums will be available for searching, but any new posts should go to the new section - https://www.ablecommerce...-and-older-versions-onlyHopefully this will be better for everyone, and we won't accidentally miss any posts. Thanks for your help. We always appreciate your savvy tech answers! |
Thanks for your support!
Katie
Secure eCommerce Software and Hosting |
|
|
|
|
|
Rank: Advanced Member
Groups: HelpDesk, Developers
Joined: 11/9/2018(UTC)
Posts: 564
Thanks: 122 times
Was thanked: 26 time(s) in 25 post(s)
|
FYI just checking all the cyphers in IISCrypto did not work for me. Deleting the Functions subkey did work. My server is now pulling UPS rates again.
|
|
|
|
|
|
Rank: Advanced Member
Groups: Developers
Joined: 11/7/2018(UTC)
Posts: 303
Thanks: 21 times
Was thanked: 5 time(s) in 5 post(s)
|
I just got an email from a client with this info from UPS.
UPS is saying they made a change and one of 4 Ciphers need to be used when connecting. They said as they were updating their servers there would have been intermittent issues like we saw until today when it is now required on all servers.
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
|
|
|
|
|
|
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.
Important Information:
The AbleCommerce Forums uses cookies. By continuing to browse this site, you are agreeing to our use of cookies.
More Details
Close
