Cart can't connect to Authorize.net with TLS 1.0 disabled

I admin an ecommerce site that has been running fine with eshop cart and Authorize.net for many years. Our card processor requires that we be scanned by TrustWave. TrustWave is now requiring that we disable TLS 1.0 and enable TLS 1.1 & 1.2. I've done that but with TLS 1.0 disabled, the cart no longer can connect to Authorize.net when we try to run the payment. We are running on 2008 R2 with a Symantic Certificate. I tried the same setup on another identical server running the identical cart and a GoDaddy Cert going to Authorize.net with the same result. If I enable TLS 1.0 everything goes back to working. I haven't contacted Authorize.net but I have talked to support for the shopping cart. They tell me it's not their issue. What does this sound like is happening???
Ollie-OwlAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
When you disabled TLS 1.0 where did you do that and did you make sure that TLS 1.1 and 1.2 are still available?

Are you on a window/linux system?  The changes you are making are in openssl.conf or within the cypher/schannel within the registry?
kevinhsiehCommented:
It is possible that authorize.net doesn't support TLS 1.1 or 1.2. I don't know which hosts you need to connect to, but you can check their servers at https://www.ssllabs.com/ssltest/index.html .

If using Windows, you can disable the TLS 1.0 server functionality independently from the TLS 1.0 client side functionality.
Ollie-OwlAuthor Commented:
This is a windows server. 2008 R2 -  I enabled server & client for 1.1 & 1.2 both in the registry .
This is where I've made the regestry changes:
HKEY LOCAL MACHINE
SYSTEM
CurrentControlSet
Control
SecurityProviders
SCHANNEL
Protocols

I followed some instructions on the web to Enable and Disable the appropriate protocols. Is there another place that I should be making changes? I get confused on client side and server side. I assume Trustwave is scanning the Server Side so I would want to Disable that. I haven't tried leaving the Client side on. When my server contacts Authorize.net, am I using their certificate or mine? Is it a Client issue or a Server issue on my part? Sorry but I don't understand some of this.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

kevinhsiehCommented:
Underneath Protocols, you need some more keys. The following registry settings will disable TLS 1.0 for server connections that you are being scanned against, but will allow you to initiate TLS 1.0 connections to other servers. When you connect to authorize.net, you are looking at their certificate. They probably aren't checking yours.

Making these changes should help you pass the scan, but realistically authorize.net needs to change their security too or the information is still just as "at risk" as if you had TLS 1.0 enabled on the server, but they are probably a much bigger target, and should fail their own scans.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ollie-OwlAuthor Commented:
Authorize.net says that they do 1.0, 1.1 and 1.2 and will probably disable 1.0 summer 2016 so they should be able to see my 1.1 or 1.2. I'm setting up another server with the identical specs. I can't use my production server to reboot after each registry change. Once I get that done, I'll be able to look at a few different combinations to see exactly which ones fail. Should take a day or two. Thanks for your help so far. Will be back soon
arnoldCommented:
One option is to test their side.  Linux/Unix box
openssl s_client -connect authorize.net:port

Look at the data to see which protocols/ciphers they make available.

There is an OpenSSL install available for windows.
Test your registry change/configuration on a desktop where you can rest to make sure it functions such that you can then implement the change once on the prod server.

The settings might also be in the hkcu hierarchy in the same locations.
Ollie-OwlAuthor Commented:
Got it working with kevinhsieh solution... Not the best BUT the best of now. Thanks
kevinhsiehCommented:
You might be able to enable TLS 1.1 and 1.2 client, and then disable TLS 1.0 client. Same registry as before, just with different TLS versions.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Servers

From novice to tech pro — start learning today.