Moovweb Help Center

How to Block TLS v1.0 Requests with the Moov SDK

Follow

In April 2015, the PCI Security Standards Council stated that starting June 30th, 2016, only TLS v1.1 or higher is acceptable for PCI compliance. Later in December 2015 the Council extended the deadline for discontinuing SSL and TLS v1.0 to June 30th, 2018Here is their post for the extension.

"The Payment Card Industry Security Standards Council (PCI SSC) is extending the migration completion date to 30 June 2018 for transitioning from Secure Sockets Layer (SSL) and Transport Layer Security (TLS) v1.0 to a secure version of TLS (currently v1.1 or higher). These dates provided by PCI SSC as of December 2015 supersede the original dates issued in both PCI Data Security Standard v3.1 (PCI DSS 3.1) and in the Migrating from SSL and early TLS Information Supplement in April 2015."

Moovweb has added the HTTP header "X-SSL-Proto" which contains the TLS version: TLSv1, TLSv1.1 or TLSv1.2. Customers can use this header to selectively redirect users who do not meet the TLS version requirement the customer has defined.

 

How to block TLS 1.0 requests

Customers who want to reject TLS 1.0 request need to add a few lines of code to their project to redirect these users to an error page. Here is an example of how to do this.

Detect the TLS version and set a flag

Insert these lines near the top of the module.exports = function() { in ./scripts/index.js:

  module.exports = function() {
if (env.x_ssl_proto === 'TLSv1') {
fns.export('Location', '/error_page.html');
env.response_code = 302;
return { body: '', htmlparsed: false };
}

Valid Values for the X-SSL-Proto Header

  • TLSv1
  • TLSv1.1
  • TLSv1.2
  • TLSv1.3 (future)

Testing Locally with the Moov SDK

Note: The Moov SDK does not inject the X-SSL-Proto header. You can test locally by manually inserting the X-SSL-Proto header into your requests. e.g. 

curl -H "X-SSL-Proto: TLSv1" localhost/

This injects the X-SSL-Proto header into your requests. In this situation you do not need to use HTTPS to test. 

Deploy your project to the MoovCloud

Once you deploy your project to the MoovCloud, you can test your code by browsing to your project via HTTPS. 

Note: In the MoovCloud, the X-SSL-Proto header injected is only injected on HTTPS requests. HTTP requests will not have the X-SSL-Proto header.

Debugging Your Requests

The X-SSL-Proto header is injected into the requests Moovweb makes to the upstream host. This header is not returned to the web browser. If you want to see the X-SSL-Proto header that send to the upstream host, add the following query parameter to your URL.

https://<your domain>/?__moov_debug_options=get-upstream-headers

This query parameter causes MoovCloud to return a debug HTTP header "x-moov-debug-upstream-headers" which contains the list of HTTP headers send to the Adapt code and the upstream host. E.g.

x-moov-debug-upstream-headers: 
"GET / HTTP/1.0
Host: developer.moovweb.com
Connection: close X-Http2-Proto: h2 X-SSL-Proto: TLSv1.2 accept: */* user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Overwatch) Chrome/51.0.2704.103 Safari/537.36 X-Forwarded-For: 209.136.227.218 Accept-Encoding: gzip,deflate Via: 1.0 moovweb"

In this example you can see the X-SSL-Proto header returns "TLSV1.2"

 

Have more questions? Submit a request

Comments

Powered by Zendesk