NAB Transact cipher decommission

Effective from 25 July 2024, any integrations relying on decommissioned ciphers will no longer function. (From NAB email dated 05 July 2024)

Overview

As of 20th June 2024 NAB Transact decommissioned the following ciphers that will mean NAB Transact may no longer function if used:

TLSv1.2 ciphers

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Please ensure that your system supports the following accepted ciphers:

The following cipher suites are accepted for TLS 1.3:

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

The following cipher suites are accepted for TLS 1.2:

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-CHACHA20-POLY1305

  • ECDHE-RSA-CHACHA20-POLY1305

NABTransact.png
Message excerpt from NAB login

As of 21st June 2024 NAB Transact re-instated support for these ciphers as they recognised a failure to communicate this to users.

NAB has then communicated direct with customers on 05 July 2024:

To remain compliant with Payment Card Industry Data Security Standards (PCIDSS) requirements, insecure ciphers will be decommissioned on 25 July 2024.

Effective from 25 July 2024, any integrations relying on decommissioned ciphers will no longer function.

What does this mean?

Transport Layer Security, or TLS, is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website.

https://www.cloudflare.com/en-au/learning/ssl/transport-layer-security-tls/

Over time legacy TLS protocols have been identified as less secure and no longer supported by vendors, such as in this instance, in favor of more secure protocols.

If this occurs you will see the following error:

image-20240624-014451.png

Submission Failed:
NAB fingerprint generation failure. Please contact {School Name}: The request was aborted: Could not create SSL/TLS secure channel.

Resolution

Clients will need to remove the affected cyphers from being used on their web servers.

A free tool, IIS Crypto, can be used for this.
https://www.nartac.com/Downloads/IISCrypto/IISCrypto.exe

Selecting the Best Practices button in IIS Crypto will achieve a similar (or better) result.

 

If you have any issues please raise an case with us and our Systems Specialists can assist.