Support Center

Upgrade your SSL library to support TLS 1.2

Follow
Shopgate_TLS_1.2.png

On June 30, 2017, Shopgate is updating its services to require TLS 1.2 for all HTTPS connections. Please follow this documentation to update your system to support TLS 1.2 at your earliest convenience.

  1. Why is TLS 1.2 required for my shop?
  2. What do I need to do?
  3. Details for the Server Admins
  4. Frequently Asked Questions (FAQ)

 

 

1. Why is TLS 1.2 required for my shop?

Shopgate uses HTTPS to securely connect to your server in exchange for sensitive data such as orders, customer information, credit cards, and other payment methods. To encrypt these communications, we use the Transport Layer Security (TLS) protocol.

TLS 1.2 is one of the most secure versions of SSL/TLS protocol that is designed to prevent eavesdropping, tampering, or message forgery. Shopgate will require TLS 1.2 in order to ensure the continuous security of your shop and adhere to industry best practices.

Many other SAAS providers are also making the change. See PayPal and Stripe's support page for more information.

  

  

2. What do I need to do?

To avoid any critical security risks and loss of orders, you must confirm that your systems are ready for this change by June 30, 2017

Please follow the flowchart below to check if you need to have your OpenSSL or NSS Library upgraded to supports TLS 1.2. More technical details are provided in the next chapter.

Check_TLS_1.2_flowchart.png

 

 

3. Details for the Server Admins

3.1 Check your OpenSSL or NSS library

Shopgate plugins use cURL to transfer data (i.e. your order details, etc) over HTTPS. Generally speaking, you need to have at least cURL version 7.34.0 in order to support TLS 1.2.

However, please check the version of your cURL's underlying security library. The most common libraries that Shopgate merchants use are OpenSSL and NSS

library_book_25px.png OpenSSL

If you use OpenSSL libraries, please update them to at least version 1.0.1.j. More details see below.

✓    OpenSSL 1.0.2 and the newer versions support TLS 1.2 by default.

✓ ? OpenSSL 1.0.1 supports TLS 1.2. However, depending on the version's patch-level, some older versions might have serious security bugs or problems such as heartbleed.

Released in June 2014, Version 1.0.1g is the oldest version considered sufficient.

✓+ Version 1.0.1j is needed to also mitigate the "POODLE" attack.

To check your OpenSSL 1.0.1 patch versions, please refer to the OpenSSL changelog.

 ✘   OpenSSL 1.0.0 and the earlier versions do NOT support TLS 1.1/1.2.

 


 

 library_book_25px.png Network Security Services (NSS)

If you use a Network Security Services (NSS) library, please update them to at least version 3.15.1. Starting from this NSS version, TLS 1.2 is considered supported. Earlier versions have to be considered insufficient.

The current stable release of NSS is 3.30.2, which was released on April 20, 2017.

 


 

library_book_25px.png Other Library (e.g. GnuTLS)

If you use a different library such as GnuTLS, please check your library's change logs or documentations to ensure that it supports TLS 1.2.

 

 

3.2 Check your OS Version

Other than your security library, please also check if your Operating System (OS) version supports TLS 1.2. 

library_book_25px.png Debian

If you use Debian as your operating system, we recommend upgrading it to at least Debian 7 (Wheezy) and employ all the security updates. If that is not possible, try installing a recent GnuTLS version or an OpenSSL backport for Debian 6.

Debian 7.0, released in 5/2013, originally comes with PHP 5.4 and OpenSSL 1.0.1e. It is sufficient if the regular security updates are applied.

If PHP 5.3 is needed for your system, you can manually downgrade PHP on Wheezy. But Please make sure that your SSL library supports TLS 1.2.

 


 

library_book_25px.png Other Operating System

If you use an operating system other than Debian, please check your system's change logs or documentations to ensure that it supports TLS 1.2.

 

 

 

4. Frequently Asked Questions (FAQ)

4.1 What will happen if my systems do not support TLS 1.2?

If you do not upgrade your SSL/TLS library to support TLS 1.2 before June 30th, 2017, your shop may face critical security risks and your shop's mobile orders will no longer be transferred from Shopgate to your shopping system. 

On top of that, your customers may not be able to use PayPal on your desktop shop any more.

 

 

 

 

Comments