TLS Upgrade & Infrastructure Changes

At CashFlows we are committed to provide our customers with the most secure Payment Processing Service possible and ensure that the highest levels of system and data security are maintained.

In light of global security weaknesses that have been discovered in older versions of the TLS protocol and RC4 encryption ciphers, we only supporting TLS v1.2 and latest more modern and secure ciphers.

What do I need to do?

You will need to check and ensure that your systems are not using RC4 ciphers and are sending us transactional data using the TLS v1.2 protocol. Attempts to use non-supported TLS v1, v1.1 or any RC4 ciphers will fail in the near future.

In addition if you have whitelisted our IP Addresses, or they are still integrated to the legacy secure.voice-pay.com domain, you will need to reconfigure your systems to whitelist and integrate to the secure.cashflows.com domain.

DNS Resolution and changes to our IP addresses

We change IP addresses regularly for load balancing and disaster recover tests therefore we recommend that you connect to our DNS and not a specific IP address.

Supporting TLS 1.2

Most browsers have supported TLS 1.2 for at least the last few years. So end-users and shopper are unlikely to be affected by this change. If you use our Remote API with very old libraries you will need to update your integration.

A comprehensive list of support is available here: https://www.ssllabs.com/ssltest/clients.html

Remote API Library Support

If you have code that connects with the Remote API with very old libraries you will need to update your integration to ensure that it will continue to work. Each language and library is different, but we've identified the popular ones that may be of concern.

These languages DO NOT support TLS 1.2 and will no longer work:

  • Java 6u45 / 7u45
  • .NET before 4.5 (does not support TLS 1.2)
  • .NET 4.5 (must be have setting changed to explicitly enable TLS 1.2)
  • OpenSSL 0.9.8

Most dynamic languages such as Ruby, PHP, & Python rely on the underlying operating system's OpenSSL version. 1.0.1 is the minimum required.

Browser Support

Most browsers have supported TLS 1.2 for several years.

The following browsers DO NOT support TLS 1.2 and will no longer work.

  • Google Chrome 29
  • Firefox 26
  • Internet Explorer 9
  • Safari 6
  • iOS 4
  • Android 4

Note: If you are using Internet Explorer 10 you will need to enable TLS 1.2 by going to Internet Options - Advanced Tab then ticking the 'Use TLS 1.2' checkbox and selecting 'Apply' to confirm the settings change.

Ciphers

Your server must always connect to us using the the latest more modern and secure ciphers

The following ciphers are not permitted and will fail:

  • DES based ciphers
  • RC4 based ciphers
  • 3DES based ciphers
  • MD5 based ciphers
  • PSK based ciphers

Further Reading & Resources: