Hi
I´m trying to get a nopCommerce shop certified for safe shopping(nop 4.504). But they tell me that it's not safe.
They claim this:
Following Ciphers (algorithm choise) is not valid.
TLS version: 1.2
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
From SSLlabs.com:
Configuration
Protocols
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
SSL 3 No
SSL 2 No
Cipher Suites
# TLS 1.2 (suites in server-preferred order)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH x25519 (eq. 3072 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH x25519 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
Any ideas what to do?
My webhost tells me that there should no problem at host, it must be shop related.
Weak security with TLS 1.2
MVP
- 11328
- 101032
- 22.05.2011
- United States
What version of nopCommerce are you using?
Release Notes - nopCommerce 4.40.0 (March 10th, 2021)
#5282 Let the operating system decide what TLS protocol version to use
Thus, nopCommerce itself does not perform TLS operations, but relies on the underlying .NET framework and the operating system. I.e., nopC lets the operating system decide what TLS protocol version to use. Therefore, if your nopCommerce is up-to-date, it should support both TLS 1.2 and TLS 1.3 if they are available on the server. If the 'certifiers' only want you to have TLS 1.3, then you need to adjust the OS settings.
What OS are you using? Windows? Linux?
There have been similar posts in the past; e.g.,
https://www.nopcommerce.com/en/boards/topic/52494/nopcommerce-340-error-when-using-tls-12
Release Notes - nopCommerce 4.40.0 (March 10th, 2021)
#5282 Let the operating system decide what TLS protocol version to use
Thus, nopCommerce itself does not perform TLS operations, but relies on the underlying .NET framework and the operating system. I.e., nopC lets the operating system decide what TLS protocol version to use. Therefore, if your nopCommerce is up-to-date, it should support both TLS 1.2 and TLS 1.3 if they are available on the server. If the 'certifiers' only want you to have TLS 1.3, then you need to adjust the OS settings.
What OS are you using? Windows? Linux?
There have been similar posts in the past; e.g.,
https://www.nopcommerce.com/en/boards/topic/52494/nopcommerce-340-error-when-using-tls-12