Engineering Blog

Using Rebex to Support TLS 1.2 in Legacy .NET Environments

With the release of the PCI 3.2 standard, payments companies are being mandated to disable support for TLS 1.0 in their products and start supporting TLS 1.2. Meeting these new stricter security requirements without requiring massive software and hardware upgrades for their merchants can be challenging.

Up until Windows 7, Microsoft only supported TLS 1.0. Windows 7 and 8 supported TLS 1.2, but support for that encryption protocol was disabled by default. It was only in Windows 8 and later that Microsoft supported TLS 1.2 by default "out of the box".

Many popular points of sale are .NET apps that run on Windows. As these points of sale tend to have expected lifespans of 10+ years, our industry is challenged with how to support modern encryption protocols on not-so-modern operating systems that don't support those protocols.

Frameworks like Rebex fill that niche.

Rebex HTTPS implements modern TLS features on all supported platforms including .NET Compact Framework 3.5/3.9 (Windows Mobile 5/6, Windows CE, Pocket PC, Windows Embedded Compact) and .NET 2.0/3.0/3.5 (even on Windows XP SP3 and Windows Vista).

Rebex HTTPS supports the following TLS/SSL features:
  • TLS 1.2, 1.1, 1.0
  • Elliptic Curve DSA and Elliptic Curve Diffie-Hellman ciphers
  • AES/GCM ciphers
  • SHA-2 certificates
  • SHA-2 hashing algorithms
  • Server Name Indication (SNI) extension
  • Renegotiation Indication extension
With Rebex, you can replace System.Net.WebRequest's standard HTTPS/HTTP request handler with Rebex's implementation that supports modern security standards. Just call Rebex.Net.HttpRequestCreator.Register() and you are (almost) done. Both WebRequest and WebClient are supported. In many cases, there is no need to change your old code (except registering Rebex HTTPS).

Rebex also allows you to easily replace the transport layer of SOAP web services with a new, secure HTTPS implementation. No need to change your old code (except registering Rebex HTTPS).

As you can see from the code snippet below, using Rebex is straightforward, as it's designed to be a drop-in replacement for Microsoft's System.Net classes. It's a fast, painless, and relatively inexpensive way to bring your point of sale into PCI 3.2 compliance, and support modern encryption protocols.