Best Practices for TLS Configuration

Before checking your TLS version and cipher suites, it’s important to align with industry best practices to ensure secure and compliant communication with PayNearMe’s systems. Fastly recommends the following TLS configuration standards:

Use TLS 1.2 or higher – TLS 1.0 and 1.1 are deprecated and no longer secure.
Enable only strong cipher suites – Avoid weak ciphers like those using SHA-1 or RC4, as they are no longer considered secure.
Disable anonymous key exchanges – Ensure all cipher suites use authenticated encryption (e.g., TLS_AES_256_GCM_SHA384).
Support Forward Secrecy (PFS) – Use cipher suites that include Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) for better security.
Disable static RSA key exchange – RSA key exchange does not provide perfect forward secrecy and is considered outdated.

📘
Fastly TLS Prerequisites
For more information on Fastly's TLS recommendations, see their TLS prerequisites and limitations documentation.

🚧
Compatibility Requirements
To ensure compatibility with PayNearMe’s infrastructure, your systems must support TLS 1.2 or higher and must not use SHA-1-based cipher suites, which are deprecated due to security vulnerabilities.

1. Check Your TLS Version and Cipher Suites

Follow the steps below to check your TLS configuration and ensure compliance with the best practices listed above.

Windows Server (IIS)

Check the TLS Version

Open PowerShell as an Administrator and run the following command:
```
[Net.ServicePointManager]::SecurityProtocol
```
If TLS 1.2 or higher is supported, you will see Tls12 or Tls13 in the output.

Check Supported Cipher Suites

Run the following command to list available cipher suites:
```
Get-TlsCipherSuite
```
Review the output and look for any SHA-1 ciphers (e.g., TLS_RSA_WITH_AES_128_CBC_SHA).
If SHA-1 appears in the list, it must be removed.

📘
Microsoft Reference
For more information, see the Microsoft Cipher Suite Configuration.

Linux Servers (Nginx & Apache)

Check TLS Version and Cipher Suites

Open a terminal and run the following command:
```
openssl s_client -connect example.com:443 -tls1_2
```
If the connection is successful, TLS 1.2 is supported.
To list all supported ciphers, run the following command:
```
openssl ciphers -v
```
Look for SHA-1 ciphers (e.g., AES128-SHA).
If SHA-1 appears in the list, it must be removed.

📘
Linux Reference
For more information, see the OpenSSL Cipher Suites documentation.

Cisco Firewalls & Load Balancers

Check TLS Version

Log in via SSH or console and run the following command:
```
show ssl policy
```
Look for the TLS version in the configuration.

Check Supported Cipher Suites

Enter configuration mode:
```
configure terminal
```
List available ciphers:
```
show ssl ciphers
```
Look for SHA-1 ciphers (e.g., TLS_RSA_WITH_AES_128_CBC_SHA).
If SHA-1 appears in the list, it must be removed.

📘
Cisco Reference
For more information see the Cisco SSL Configuration Guide.

2. Use an Online SSL Checker

For a quick and non-technical check of your TLS and cipher settings, use Qualys SSL Labs Test:

Go to Qualys SSL Test.
Enter your domain name and click Submit.
Review the TLS version and cipher suite in the results.
Ensure that no SHA-1 ciphers are listed.

3. Next Steps

If SHA-1 appears in your cipher list, update your TLS cipher configuration to remove it.
Ensure that Fastly IPs are allowlisted.
If you are unable to update your ciphers, contact PayNearMe support immediately.