UPS shipping plugin error - (403) Forbidden

We will need to upgrade the UPS plugin to use TLS 1.1 or TLS 1.2 within this December.

We recently started to receive this (403) Forbidden exception on the DoRequest method of the UPSComputationMethod.cs file. Further investigation reviled that the exceptions were thrown by the UPS API at random. For the same address sometime we get response sometime we don’t. When we contacted the UPS support team they gave the following reply:

"Currently, all of the CIE (test) environment servers have be updated to only accept TLS 1.2 requests.

UPS will be making changes to the Production servers beginning September 1, 2017 through December 31, 2017 to support enhancing our security. During this time, you may see intermittent failures for transactions using TLS 1.0 or earlier.

As of October 10, 2017, 50% of all API servers have been transitioned over to ignore any traffic using TLS 1.0.

Effective 12/31/2017, UPS will only accept TLS 1.1 and TLS 1.2 security protocols. It is highly recommended that the most current version, TLS 1.2, be implemented. After that date, any communication requests submitted to UPS using older protocols (TLS 1.0 or earlier) will fail."

I have created an issue on Github: https://github.com/nopSolutions/nopCommerce/issues/2754

What versionon nopCommerce are you using?

a.m. wrote:
I am using version 3.3

Would someone comment if there are workarounds for this for those with an older nopCommerce version...

This suggests that code needs to be added to global.asax.cs (and thus a nopCommerce recompile is needed):
https://github.com/nopSolutions/nopCommerce/issues/2754


This suggests that those running on .NET 4.0 framework can make registry changes:
https://stackoverflow.com/questions/33761919/tls-1-2-in-net-framework-4-0

Is it possible to have both global.asax.cs and code like Application_Start in a script runat="server" element in the global.asax?


Or alternately, is it possible to modify (and recompile) the UPS plugin?  (what code would be required?)

Someone pointed this out to me

https://github.com/nopSolutions/nopCommerce/commit/3317af70270d49679dc39206c2afd033608351a7#diff-7f9d527fc25ea27bc239fd970c20e704

Has anyone tried adding the "ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;" line to an old UPS plugin to see if it works?  Is it enough to just update the UPS plugin, or will it also require a change to global.asax.cs file?

Someone pointed this out to me

https://www.nopcommerce.com/boards/t/47585/tls-12-in-eway-payment-gateway.aspx#188685

But making that global.asax change alone did not get his 3.70 UPS to work.

New York wrote:
I saw the registry change approach which did not seem to be a good solution as you are going to for every application to go TLS 1.2. What if you need some application to stay on TLS 1.0 or older technologies on purpose?

For nopCommerce 3.3 I added the

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

to the

Application_Start()

method which worked for me. At least for the UPS API.

For me (3.7)  the registry key fix seems to have worked.  
https://stackoverflow.com/questions/33761919/tls-1-2-in-net-framework-4-0  (about halfway down)

- Set the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319: SchUseStrongCrypto to DWORD 1

Of course that fix requires .net 4.0 or 4.5.   I don't recall what nopCommerce version switched to 4.0 so it may not work on older versions.

tarheit wrote:
I saw the Reg fix suggestion at stackoverflow. I personally did not like it as:
- The site will break again if you change the hosting
- You are forcing all application on the server to go TLS 1.2. That might not be a good idea.
- There would be errors on your localhost. Surely it is not a good idea to apply the reg fix on your development machine

I preferred to switch the nopCommerce site to TLS 1.2.

I added the code to the V3.4 UPS Plugin that came with the 3.4 version of nop and it fixed my problem.