topic Relay Response not getting hit. SHA2 certificates and Authorize.net suspect in Integration and Testing

Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

evoDev — Mon, 26 Aug 2013 13:57:32 GMT

Does anyone know if Authorize.net accepts the newer SHA2 encryption? Our production servers which use this type of certificate do not receive the RelayResponse.

We found an article on SHA2 encryption issues with WIN2003 servers KB 968730. We know Authorize.net uses Win 2003 servers based on http headers, which tell us IIS6.0.

Re: Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

RichardH — Wed, 28 Aug 2013 18:48:27 GMT

Hello evoDev,

I've forwarded your request to support SHA2 encryption to our product management team for consideration in a future release.

Richard

Re: Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

evoDev — Tue, 10 Sep 2013 22:53:20 GMT

We just established that is a real issue with Authorize.Net. We were able to purchase a SHA1 certificate and we are now able to receive the Relay Response from Authorize.NET. Authorize.NET Relay Response does not handle G2/SHA256 certificates. This will become a major issue in 2014 when SHA1 certifictions will not be obtainable from vendors eg. GoDaddy etc.

I hope this helps someone.

Re: Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

mmoore225 — Wed, 02 Oct 2013 19:26:49 GMT

We ran into this issue today when we renewed our cert using SHA 2. We reissued the cert using SHA 1 and this eliminated our errors. If it is true that Authorize.net is using 2003 Windows servers, I hope they know that these servers reach end of life in April of 2014.

Authorize should be on top of this and should be supporting the new encryption algorithm of SHA 2. Some PCI-DSS scanners are now requiring SHA 2 be installed.

Can Authorize.net respond to this?

Re: Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

zackvbrady — Mon, 10 Feb 2014 21:57:07 GMT

Is there any update as to when this will be fixed DPM? I am begining a new integration for a client and would like to know if I will be able to secure the process properly with the SHA-256.

Re: Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

RichardH — Tue, 11 Feb 2014 15:43:31 GMT

Hello Zackvbrady;

Our product team is still investigating the issue. How recently have you attempted using an SHA2 certificate? The product team is interested in further narrowing the issue. Please send details by submitting a support request at http://developer.authorize.net/support.

Richard

Re: Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

marimed — Wed, 19 Feb 2014 16:05:40 GMT

We have been experiencing this issue as of February 12th when a SHA2 was installed on our client's website. The process to replace it with SHA 1 has been started, but it would be great to know that SHA 2 could be used ASAP.

Re: Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

dtowell — Thu, 20 Feb 2014 17:48:20 GMT

We also have this problem and are currently unable to obtain an SHA1 certificate. I really don't understand what the problem is, since MS has released a hotfix that specifically addresses this issue. It should have been fixed already.

Re: Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

RichardH — Thu, 20 Feb 2014 22:54:11 GMT

Hello

Our product team is currently working to fix this problem. At this time, I don't have a time line for delivery.

I'd recommend subscribing to this topic so that you'll be alerted via email if there are updates. To subscribe, click Topic Options at the top of this thread and then select Subscribe. You'll then receive an email once anyone replies to your post.

Thanks,

Richard

Re: Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

krom — Mon, 03 Mar 2014 19:40:04 GMT

I am also having this issue. Is there any update or do I need to get my certificates reissued?

Re: Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

RichardH — Mon, 03 Mar 2014 20:39:02 GMT

I would recommend in the short term to have your certificate re-issued.

Richard

Re: Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

micliz — Tue, 11 Mar 2014 15:43:32 GMT

Just adding to the list, I'm also having Relay Response failures with a SHA-2 Cert created by GoDaddy. Seeing if I can downgrade it to SHA-1 for now...

Re: Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

jondaley — Fri, 14 Mar 2014 20:47:15 GMT

Aha. I'm glad to have stumbled across this post.

We were hit by this recently when updating our expiring SSL certificate. The thing that is odd is that some of the charges/relay responses go through correctly, somewhere around 3-5%. That doesn't make any sense to me unless there is a round-robin-type server that has one correctly configured server, and other broken ones.

I'll check if I can get an SHA1 certificate issued, but I think at minimum you should put it in your FAQ that your servers dont' work with current SSL certificates, and to recommend finding a provider that will issue the older style, if such places exist.

What is the ETA for applying the published hotfix for this problem?

Re: Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

jondaley — Fri, 14 Mar 2014 21:06:34 GMT

My ssl provider no longer issues SHA1 certificates except for 1 year, 1 domain certificates, which that isn't what I'm using.

Apparently, they also automatically publish revocation lists so my old certificate might not work for everyone, though it appears that it is okay.

Note that Microsoft says SHA1 certificates aren't secure, and people shouldn't be using them.

http://www.infoq.com/news/2013/11/SHA-1

Please update your systems as soon as you can, as we'll have to use manual credit card entering/verification until you do.

Re: Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

jondaley — Fri, 14 Mar 2014 21:10:19 GMT

Here is someone who has spent some time on the phone with authorize.net, which is where I was headed next, but it sounds like it didn't get anywhere.

http://stackoverflow.com/questions/21390144/authorize-net-dpm-fails-with-an-sha-256-ssl-cert

If I turn off SSL on the relay response, are there security issues there? Hackers would have to be able to guess the correct transaction ids to be able to post information to that URL, and they are all one-time use ids, right? So, even if a hacker sniffed the connection, he couldn't do anything bad? Is that a reasonable solution?

Re: Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

jondaley — Mon, 17 Mar 2014 21:31:32 GMT

Email customer support tells me that turning off SSL for the relay response request is a perfectly fine solution.

Developers are "actively working on a fix", so hopefully, they'll post here once they've applied the hotfix from microsoft.

Re: Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

jondaley — Thu, 20 Mar 2014 20:41:32 GMT

I've confirmed that authorize.net reports a "script timed out" issue when there are SSL parsing problems. It would be nice if that error message could be changed - if you search on these forums for "script timed out" you will find self-signed certificate errors, namevirtualhost configuration issues, etc. It would save a lot of frustration and support time if the error "script timed out" only happened after a time out.

I noticed that the "script timed out" error happens immediately when there is a SSL certificate issue.

I've gotten zencart to not send an ssl URL in the x_relay_URL but zencart uses a 302 response in their default relay_URL, which goes to an SSL encrypted page, so authorize.net still barfs on it.

One good way to prove that it is authorize.net's fault is by turning off the on-site credit card processing - the credit card is then charged by authorize.net, but the redirect back to the site fails instantly because it can't parse the SSL certificate.

I'm going to look into hacking zencart's code into not using SSL on the response, but I don't think there is going to be a secure way to do that, because if the credit card validation fails, we'll end up with a non-ssl page to type in the credit card number on, and I don't know if I can hack zencart into being smart enough to redirect correctly.

I wonder if I did the redirect in javascript, to take authorize.net broken parser out of the picture, if that would work.

It would be really nice to have authorize update their servers (and its sort of scary that they don't keep their microsoft servers up-to-date - surely there have been security issues in the last 9 months that weren't applied to these servers?)

Re: Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

RichardH — Thu, 20 Mar 2014 21:35:01 GMT

Hello @jondaley:

A solution for the SHA2 certificate issue is currently moving through our rigorous QA process. I'll post an update when it releases to the sandbox and production.

Richard

Re: Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

jondaley — Thu, 20 Mar 2014 21:42:10 GMT

Great - glad to get a response. Do you have any sort of guess about the timeline - like a couple days, a couple weeks, a couple months?

Re: Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

RichardH — Thu, 20 Mar 2014 22:12:31 GMT

... Coming Soon :smileyhappy:

It will not be months, but I don't have better information than that.

Richard