3-DES Disablement in Sandbox Planned for July 30, 2016

by Moderator Moderator ‎07-14-2016 08:35 AM - edited ‎07-19-2016 10:28 AM (6,167 Views)

In an effort to maintain the highest levels of security for all server-to-server communications with the Authorize.Net platform (both transactional and otherwise), we will be ending support for 3-DES cipher suites in the sandbox on July 30, 2016.

 

Specifically, we will be ending support for the cipher, TLS_RSA_WITH_3DES_EDE_CBC_SHA, also known as DES-CBC3-SHA or Cipher 0x0a.

 

We will announce a date for disabling 3-DES ciphers in Production, at a later time.

 

If you have a solution that relies on 3-DES ciphers to communicate with our servers, please update it to a current, high-security cipher as soon as possible. Please review our API best practices blog post for more information.

Comments
by bisonbl3u
on ‎06-07-2017 07:27 AM

I would like to post a comment on "TLS 1.1 and 1.0 Disabled in Sandbox on April 30, 2017 - Updated" but I cannot because there is no "Post a comment" link. Can you help me?

 

My question is this:

 

Now that TLS 1.0/1.1 have been disabled in sandboxes, can we assume that if we don't see issues/errors/warnings to this effect in a sandbox that all is well and we don't need to do anything? In other words: if everything looks good in the sandbox then it means that the payment solution is NOT using TLS 1.0 or 1.1 and therefore will NOT be affected when TLS 1.0 or 1.1 are definitely abandoned ?

 

According to Debby in tech support, the Important TLS Disablement Notice seems to imply exactly this. But unfortunately it does not spell this out in an explicit way.

by Moderator Moderator
on ‎06-08-2017 08:34 AM

Thank you for your comment.

 

We typically turn off comments for blog posts because they are not as ideal for discussion as the forums, nor does it lend to personal support like the Contact Us form would.

But to answer your question: Yes, if your solution connects successfully to test.authorize.net or apitest.authorize.net, without errors, it means your solution supports TLS 1.2, and you should not need to take further action as far as our TLS Disablement Notice is concerned.

But please bear in mind that you may have other services using earlier versions of TLS or SSL, so you will want to check with them to ensure overall PCI DSS compliance.