IMPORTANT UPS UPDATE: TLS 1.2 CIPHERS SUITE SUPPORTED BY UPS ARE LIMITED NOW

For all VPCart merchants that are using UPS module, if your UPS is suddenly not working on your site, or you are getting error "An error occurred in the secure channel support Using XML2" then you may want to contact your web host regarding the TLS 1.2 ciphers suite settings.

According on UPS page at:
https://www.ups.com/us/en/help-center/technology-support/data-security.page

Previously UPS allow most of chipers below for the application to:

• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Now that we found UPS only limited to support the following chipers:

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

So you will need to contact your webhost to allow ONE of the above ciphers for UPS to work.

IMPORTANT NOTE: The above is not our VPCart standard to require those ciphers to run UPS module, but it is requirements from UPS.

==================================================================================================

Below are the steps on how to set up your server to accept the required ciphers. (This must be done by server administrators or you can forward this to your web host administrator):

1. Win + R >> enter gpedit.msc >> press Enter.
2. Computer Configuration >> Administrative Templates >> Network >> SSL Configuration Settings >> SSL Cipher Suite Order.
3. Set the radio-button to Enabled.
4. Enter the cipher suites you would like to make the server work with into SSL Cipher Suites field.

   This field is a whitelist of ciphers your server is permitted to use for SSL/TLS handshake in order of server preference. You can keep from disabling weak ciphers in registry, specifying the ciphers you like in this field.

5. Example lets say you have existing ciphers below:

   cipherABC,cipherXYZ,cipherXXX,cipherYYY etc..

   Then you can add the cipher(s) required by UPS followed by your existing ciphers. So it should become:
   
   TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,cipherABC,cipherXYZ,cipherXXX,cipherYYY
   
   NOTE: Remember to replace cipherABC,cipherXYZ,cipherXXX,cipherYYY with your existing available ciphers.

   Once the required ciphers are entered, click Apply >> OK.

6. Restart Windows Server (it's obligatory to apply the changes).
   
   
7. Go to website SSL labs and enter your domain name to see the result.
   
   
8. Wait for few minutes for the site to scan your domain and after result is loaded 100%, please locate the "Cipher Suites" section.
   If the required UPS ciphers are added correctly, you should see the ciphers listed for your domain.
   
   
   
   
9. You can then go to test on your VPCart site to check if UPS module is able to retrieve rates during checkout.
   
   
10. If in case the UPS is still not returning rates, there is one additional step required to modify your server registry as mentioned on Microsoft site:
    https://docs.microsoft.com/en-us/security-updates/securityadvisories/2016/3174644
    
    update registry:
    
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman
    ServerMinKeyBitLength=dword:00000800
    2048
    
    As in some machines, you may need to the registry above to make ciphers work.
    

==================================================================================================

For existing Business Ready Plan customers and VPCart hosting customers, you do not need to worry about this as we have updated all our VPCart servers to support one of the 4 chipers above.

If you are hosting with external server and having such UPS issue, please follow these:

- Ask your webhost to enable ONE of the 4 ciphers above on the server.
If your webhost is unable to do the TLS 1.2 ciphers change for you, you can consider moving to our Business Ready Plan or VPCart hosting which is already supporting the TLS 1.2 ciphers suite required by UPS.

- The problem with UPS error "An error occurred in the secure channel support Using XML2" is related to the ciphers issue above. If your webhost able to fix the chipers on your server then UPS will work ok.
If you are using VPCart 9, we recommend you to use our latest VPCart UPS module at:
https://www.vpcart.com/sales/addons900.asp

If you have done the above and UPS are still not showing you can post a helpdesk ticket to us at:
https://helpdesk.vpcart.com

Thank You.