16 May

Time to Upgrade to TLS version 1.2

by Digital Marketing Midtrans

9163Views

The use of general TLS on online systems still leaves security problems. POODLE, BEAST, CRIME, and Heartbleed are some examples of possible SSL/TLS attacks. In regards to this matter, PCI SSC has required all entities associated with PCI-DSS to disable the use of TLS version 1.0 and earlier at the latest by June 30th, 2018.

As a reliable company, Midtrans is committed to always provide the best services to our partners. Therefore, Midtrans will upgrade our services to disable support for the use of TLS version 1.0 and earlier and will be no longer accepting HTTPS connection using those versions, starting from June 10th, 2018.

Partners are strongly encouraged to upgrade the app connected to Midtrans to TLS version 1.2 (preferable) or TLS version 1.1 (minimum) for all HTTPS connections.

How do I upgrade my SSL library to support TLS v1.1 & v1.2?

If you use OpenSSL for your TLS connection, you may check the following guide for upgrading OpenSSL package to support TLS v1.1 or TLS v1.2.

1. Checking OpenSSL

First of all, you need to check what your current OpenSSL version is, by running this command on your machine:

$ openssl version OpenSSL 1.0.2n 7 Dec 2017

TLS 1.1 and 1.2 is supported on OpenSSL version v1.0.1 or later. If your OpenSSL version below that version, then you’ll need to upgrade your OpenSSL package.

2. Upgrading OpenSSL

If you are using Linux as your application server, you need to know which distribution you are using, by run command cat /etc/*-release to find this information.

Following is the sample command on CentOS or RedHat Enterprise Linux :
$ cat /etc/*-release CentOS release 6.5 (Final)

You may upgrade your Linux system to the minimum distribution which supports OpenSSL v1.0.1 or later, before upgrading the OpenSSL package.

• On Debian:
  You’ll need to upgrade your Operating system to Debian 7 (Wheezy) or later.
• On Ubuntu:
  You’ll need to upgrade your Operating system to Ubuntu 12.04 (Precise) or later. If you already on Ubuntu 12.04 or later, you could upgrade OpenSSL package by running the command: $ sudo apt-get update && sudo apt-get install --only-upgrade openssl libssl-dev. Restart your application once the OpenSSL upgrading process is finished.
• On RedHat Enterprise Linux, or CentOS: You’ll need to upgrade your Operating system to CentOS 6 / Red Hat Enterprise Linux 6 or later.
  If you are already using CentOS 6 / Red Hat Enterprise Linux 6 or later, you could upgrade OpenSSL package by running the command: $ sudo yum update openssl. Restart your application once the OpenSSL upgrading process is finished.

3. Verify OpenSSL

Once upgrading process is done, you should re-check OpenSSL package version by running the following command:

$ openssl version OpenSSL 1.0.2n 7 Dec 2017

You’ll see your OpenSSL package has been upgraded.

How do I verify my application already comply with Midtrans updated services?

You could test and verify your application integration, by accessing our Sandbox environment endpoints. As per June 1, 2018, we are disabling our support for TLS 1.0 on Sandbox environment.

You’ll get an error on the connection while accessing Midtrans services when your system still not support TLS v1.1 or TLS v1.2.

If you are successful in accessing our Sandbox service, then you are already complying with our TLS update. As per June 10th 2018, we are fully not supported TLS v1.0 in our production environment.

Information Supplement

Please refer to the following links for information related to this service upgrade:

• Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS
• Information Supplement: Migrating from SSL and Early TLS
• PCI SSC Document Library
• Information Supplement: Best Practices for Securing E-Commerce

If you'd like a consultation about TLS, feel free to contact us at support@midtrans.com.