Best Practices for TLS Configuration

Before checking your TLS version and cipher suites, it’s important to align with industry best practices to ensure secure and compliant communication with PayNearMe’s systems. Fastly recommends the following TLS configuration standards:

• Use TLS 1.2 or higher – TLS 1.0 and 1.1 are deprecated and no longer secure.
• Enable only strong cipher suites – Avoid weak ciphers like those using SHA-1 or RC4, as they are no longer considered secure.
• Disable anonymous key exchanges – Ensure all cipher suites use authenticated encryption (e.g., TLS_AES_256_GCM_SHA384).
• Support Forward Secrecy (PFS) – Use cipher suites that include Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) for better security.
• Disable static RSA key exchange – RSA key exchange does not provide perfect forward secrecy and is considered outdated.

📘

Fastly TLS Prerequisites

For more information on Fastly's TLS recommendations, see their TLS prerequisites and limitations documentation.

🚧

Compatibility Requirements

To ensure compatibility with PayNearMe’s infrastructure, your systems must support TLS 1.2 or higher and must not use SHA-1-based cipher suites, which are deprecated due to security vulnerabilities.

1. Check Your TLS Version and Cipher Suites

Follow the steps below to check your TLS configuration and ensure compliance with the best practices listed above.

Windows Server (IIS)

Check the TLS Version

1. Open PowerShell as an Administrator and run the following command:
   Check the TLS Version

   [Net.ServicePointManager]::SecurityProtocol
   

2. If TLS 1.2 or higher is supported, you will see Tls12 or Tls13 in the output.

Check Supported Cipher Suites

1. Run the following command to list available cipher suites:
   List All Cipher Suites

   Get-TlsCipherSuite
   

2. Review the output and look for any SHA-1 ciphers (e.g., TLS_RSA_WITH_AES_128_CBC_SHA).
3. If SHA-1 appears in the list, it must be removed.

📘

Microsoft Reference

For more information, see the Microsoft Cipher Suite Configuration.

Linux Servers (Nginx & Apache)

Check TLS Version and Cipher Suites

1. Open a terminal and run the following command:
   Check the TLS Version

   openssl s_client -connect example.com:443 -tls1_2
   

   If the connection is successful, TLS 1.2 is supported.
2. To list all supported ciphers, run the following command:
   List all Supported Ciphers

   openssl ciphers -v
   

3. Look for SHA-1 ciphers (e.g., AES128-SHA).
4. If SHA-1 appears in the list, it must be removed.

📘

Linux Reference

For more information, see the OpenSSL Cipher Suites documentation.

Cisco Firewalls & Load Balancers

Check TLS Version

1. Log in via SSH or console and run the following command:
   Check the TLS Version

   show ssl policy
   

2. Look for the TLS version in the configuration.

Check Supported Cipher Suites

1. Enter configuration mode:
   Enter Configuration Mode

   configure terminal
   

2. List available ciphers:
   List Available Ciphers

   show ssl ciphers
   

3. Look for SHA-1 ciphers (e.g., TLS_RSA_WITH_AES_128_CBC_SHA).
4. If SHA-1 appears in the list, it must be removed.

📘

Cisco Reference

For more information see the Cisco SSL Configuration Guide.

2. Use an Online SSL Checker

For a quick and non-technical check of your TLS and cipher settings, use Qualys SSL Labs Test:

1. Go to Qualys SSL Test.
2. Enter your domain name and click Submit.
3. Review the TLS version and cipher suite in the results.
4. Ensure that no SHA-1 ciphers are listed.

3. Next Steps

• If SHA-1 appears in your cipher list, update your TLS cipher configuration to remove it.
• Ensure that Fastly IPs are allowlisted.
• If you are unable to update your ciphers, contact PayNearMe support immediately.