We got this notice from CyberSource:
I assume this means we have to limit outbound CFHTTP calls as TLS 1.2
Can someone provide information on:
1. How we can configure this
2. How we can actually test this, like using a script to output which version of TLS we are connecting with?
Dear Valued Merchant,
As previously announced, CyberSource is moving to eliminate support of Data Encryption Standard (also known as "3DES" or "Triple DES") security ciphers for securing browser based as well as server-to-server communication channels.
All merchants opening secure browser-based connections to CyberSource web portals and/or server-to-server connections to our transaction processing endpoints will need to ensure that they are not using DES-based ciphers to establish the necessary TLS connections to CyberSource, prior to the termination date, to avoid possible Production impact.
Note: These ciphers have already been disabled in our CAS, or Sandbox, environment so you may test connections there to help ensure continued connectivity.
Our current schedule for terminating support of DES-based ciphers in these connections will be on September 26, 2017 during one of our routine Network maintenance windows. If your systems utilize DES-based ciphers – and cannot support more modern/secure options - after this change is made, your transactions to CyberSource will fail.
Please make note of this upcoming change and take any needed actions to ensure that your connections to CyberSource properties make use of industry best practices. These would include using the TLS v1.2 protocol for secure connections, secured by a current and secure cipher suite.
Should you have further questions about this change, please refer to our Knowledgebase article on the subject of upcoming Security updates, which can be found here:
If further clarification is required, you may also reach out to our CyberSource Customer Support team via your usual methods.
CyberSource Customer Support
You'll need the proper JVM version to use TLS 1.2 (CF10 - v1.8, CF11, v1.7+). CF10 will use the JVM's default connection (TLSv1.2). You can force usage of TLS v1.2 in CF11 using JVM args in the CF Admin by specifying something like -Dhttps.protocols=TLSv1.2.
To test it sounds like you could utilize the sandbox environment at Cybersource.