https://community.developer.cybersource.com/t5/Integration-and-Testing/Need-a-sanity-check-for-PHP-cURL-solution-b-c-of-POODLE/m-p/48331#M24328 <P>Since the sandbox (<A href="https://test.authorize.net/gateway/transact.dll)" target="_blank">https://test.authorize.net/gateway/transact.dll)</A> now has SSLv3 disabled, I figured it was a good time to test against it, to ensure we're ready for Nov 4.<BR /><BR />We're using homegrown PHP/cURL solution since this was written before the SDK existed.<BR /><BR />Test 1: simply direct a test version of our payment code to the sandbox, of course using sandbox credentials.<BR />- success! &nbsp;<BR /><BR />Test 2: add a cURL directive forcing TLS, just in case: curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);<BR />- success!<BR /><BR />Wait, can it be that easy?&nbsp; We're using an old version of cURL (7.15.x) that I wasn't even aware it supported TLS!<BR /><BR />Can you fine folks give me a sanity check?&nbsp; Since SSLv3 is already disabled in the sandbox, if I'm successfully able to connect and process there, then I should be set for Nov 4, correct? (Obviously, assuming all else remains constant...)<BR /><BR />Thanks!</P> Fri, 31 Oct 2014 04:09:56 GMT jamesons 2014-10-31T04:09:56Z https://community.developer.cybersource.com/t5/Integration-and-Testing/Need-a-sanity-check-for-PHP-cURL-solution-b-c-of-POODLE/m-p/48331#M24328 <P>Since the sandbox (<A href="https://test.authorize.net/gateway/transact.dll)" target="_blank">https://test.authorize.net/gateway/transact.dll)</A> now has SSLv3 disabled, I figured it was a good time to test against it, to ensure we're ready for Nov 4.<BR /><BR />We're using homegrown PHP/cURL solution since this was written before the SDK existed.<BR /><BR />Test 1: simply direct a test version of our payment code to the sandbox, of course using sandbox credentials.<BR />- success! &nbsp;<BR /><BR />Test 2: add a cURL directive forcing TLS, just in case: curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);<BR />- success!<BR /><BR />Wait, can it be that easy?&nbsp; We're using an old version of cURL (7.15.x) that I wasn't even aware it supported TLS!<BR /><BR />Can you fine folks give me a sanity check?&nbsp; Since SSLv3 is already disabled in the sandbox, if I'm successfully able to connect and process there, then I should be set for Nov 4, correct? (Obviously, assuming all else remains constant...)<BR /><BR />Thanks!</P> Fri, 31 Oct 2014 04:09:56 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/Need-a-sanity-check-for-PHP-cURL-solution-b-c-of-POODLE/m-p/48331#M24328 jamesons 2014-10-31T04:09:56Z https://community.developer.cybersource.com/t5/Integration-and-Testing/Need-a-sanity-check-for-PHP-cURL-solution-b-c-of-POODLE/m-p/48341#M24330 <P>I think you're right on track. If you can connect to Sandbox, then your setup is favoring TLS, possibly forcing TLS outright.<BR /><BR />Do bear in mind that libcurl, the programming library for accessing cURL, can be compiled to use a number of security libraries, including OpenSSL, SChannel, and others. Despite the age of your installation of cURL, it could be using a more up-to-date security library.<BR /><BR />A list of all the possible programming libraries for libcurl may be found here: <A href="http://curl.haxx.se/docs/ssl-compared.html" target="_blank">http://curl.haxx.se/docs/ssl-compared.html</A></P> <P>&nbsp;</P> <P>If you run the command <SPAN style="font-family: courier new,courier;">curl -V</SPAN> it should tell you which security libraries it's using.</P> Fri, 31 Oct 2014 20:21:36 GMT https://community.developer.cybersource.com/t5/Integration-and-Testing/Need-a-sanity-check-for-PHP-cURL-solution-b-c-of-POODLE/m-p/48341#M24330 Lilith 2014-10-31T20:21:36Z