topic Re: End point confirmation for TLS 1.2 upgrade in Integration and Testing

End point confirmation for TLS 1.2 upgrade

Malith — Mon, 12 Jun 2017 19:08:28 GMT

Hello,

Currently we are in the prcess of upgrading the connectivity to TLS 1.2 as per the requirement announced by Authorize.net.

Currently we are using the below urls/end pints. We need your confirmation if we can use these urls without any issue.

TEST:
https://test.authorize.net/gateway/transact.dll

LIVE:
https://secure2.authorize.net/gateway/transact.dll

Re: End point confirmation for TLS 1.2 upgrade

Aaron — Thu, 01 Jun 2017 20:02:38 GMT

Hi @Malith,

Yes, those endpoints can be used. The test.authorize.net endpoint currently only supports TLS 1.2, so if you can process successfully with that endpoint, you should be fine once secure2.authorize.net switches to TLS 1.2 only in September.

Re: End point confirmation for TLS 1.2 upgrade

tcomtom — Mon, 12 Jun 2017 18:38:36 GMT

Hello,

We are using the DPM with the following end points as well:

Test:

https://test.authorize.net/gateway/transact.dll

Live:

https://secure.authorize.net/gateway/transact.dll

I just tested the test url and the transaction worked fine.

Just wan't to be sure if there is anything else I need to do before the September TLS migration for live.

Thanks,

Tom

Re: End point confirmation for TLS 1.2 upgrade

Aaron — Mon, 12 Jun 2017 19:06:56 GMT

If it works on the sandbox site, you should be fine.

One thing to be aware of with DPM, though. Since you're having customer's browsers post directly to us, your customer's browsers will need to support TLS 1.2 with the appropriate ciphers. That's usually not a big deal as most browser releases that are less than a few years old will work fine. Where you'll have problems is with those holdouts still using IE 8 or older (for example).

You can check out the ssllabs.com report for test.authorize.net and see a comprehensive list of which browser version will and won't be able to connect. Between now and the cutoff date you can prepare for the customer impact when armed with this information.

Some things you might want to do in preparation:

Analyze server logs to get a breakdown of browser version and determine how much your customer base might be impacted.
Educate anyone providing support to your customers that browser version is going to determine if the customer can properly make a payment
Send a proactive notification to existing customer reminding them to upgrade their browser. That would also be a good time to let them know that if they don't upgrade, they won't be able to pay other places as well, and won't be able to pay anywhere after the PCI-DSS cutoff date in June 2018.
Post a notice on your payment page with browser requirements.
Script your payment page to identify the customer's browser and display an error message if the browser isn't a supported version.

Re: End point confirmation for TLS 1.2 upgrade

tcomtom — Tue, 13 Jun 2017 18:26:33 GMT

Thank you for the detailed reply and the recommendations.

Re: End point confirmation for TLS 1.2 upgrade

Malith — Thu, 20 Jul 2017 13:20:09 GMT

Hi Aaron,

For my post on the 06-01-2017 03:01 AM, you confirmed the below url is working but unfortunately we are now receiving java.net.SocketException: Connection reset.

Re: End point confirmation for TLS 1.2 upgrade

rcourtois — Thu, 20 Jul 2017 18:14:41 GMT

I'm having a similar problem trying to post to the following URL from a machine running Windows Server 2008:

https://apitest.authorize.net/xml/v1/request.api

The socket can be opened, but trying to start encryption results in the server resetting the connection. I am trying to send a getHostedPaymentPageRequest request. Every once in a while it will work and return a payment form request token, but probably 9 out of 10 times the connection gets reset. The same code does run fine when run from a desktop macine running Windows 7.

Re: End point confirmation for TLS 1.2 upgrade

unaisk — Tue, 30 Jan 2018 06:07:22 GMT

Hi,

I am using the following URL on production:

https://api2.authorize.net/xml/v1/request.api

Please let me know if this is TLS1.2 compliant. Its urgent.

Also, let me know if it is AKAMAI URL?

Thanks in advance.

Re: End point confirmation for TLS 1.2 upgrade

RichardH — Tue, 30 Jan 2018 17:05:18 GMT

@unaisk Yes, the endpoint https://api2.authorize.net/xml/v1/request.api is an Akamai endpoint. Starting this morning it will be configured to only accept a TLS 1.2 connection for approximately 4 hours and then it will return to accept TLS 1.0, 1.1 and 1.2 until Feb 28th.

Please see https://status.authorize.net for details.

Re: End point confirmation for TLS 1.2 upgrade

mattlt — Tue, 30 Jan 2018 21:14:45 GMT

For years now we have been using the https://secure2.authorize.net/gateway/transact.dll to talk to authorize.net, and for many months we have been using only the TLS 1.2 protocol on our server.

However, during the test today, all connection attempts resulted in no response from authorize.net.

We confirmed our TLS 1.2 status at SSLLabs.

Any idea what could be going on here?

(Current time is 13:10 PST, but the problem persists).

Re: End point confirmation for TLS 1.2 upgrade

bhav — Tue, 30 Jan 2018 23:24:59 GMT

Matt,

Will you able to share the SSL labs report here? Also, are you using Java SE 9 to connect to https://secure2.authorize.net/gateway/transact.dll?

Thanks

Bhavana

Re: End point confirmation for TLS 1.2 upgrade

Aaron_Actual — Wed, 31 Jan 2018 04:47:43 GMT

An SSLLabs report is irrelevant when it comes to your server making a client connection to another web server. Remember, the only thing SSLLabs can tell you is what version of TLS is negotiated when their machine makes a connection to the HTTP server software running on _your_ server machine. That’s not what is at issue here.

It’s good that you’re enforcing TLS 1.2 connections when other machines are making connections to _your_ machine. That’s definitely necessary, and required to be compliant with PCI-DSS. But, you also have to be capable of connecting as TLS 1.2 when your machine is acting as a client connecting to a web server.

So, what _is_ at issue is the version of TLS that your machine is able to negotiate when your machine is connecting as an HTTP client to the HTTP server software running on the Authorize.Net endpoint. Whether your machine is capable of negotiating a TLS 1.2 connection when acting as a _client_ is completely dependent on things like your programming environment that your application was written in and its libraries, or the system libraries that your application is calling to make this client connection.

Re: End point confirmation for TLS 1.2 upgrade

bhav — Wed, 31 Jan 2018 17:40:54 GMT

We were curious to see the ssl report you ran as we were able to connect to secure2 endpoint with TLS protocol. Please let us know whether your issue is resolved.

-Bhavana

Re: End point confirmation for TLS 1.2 upgrade

webguy123 — Thu, 15 Feb 2018 00:38:20 GMT

I have been working on server migration and preparing for TLS 1.2

I am successfully transacting to https://test.authorize.net/gateway/transact.dll and seeing transactions show up on my sandbox account.

I am doing this from a new domain without my SSL installed. However, once I do move the SSL, should it be ready to go?

My cert is TLS 1.2 ready and I am using centos 7.4 with PHP 5.4.16.

Is there anything else I can do to be certain I am ready to go?

Thanks in advance for your help!

Re: End point confirmation for TLS 1.2 upgrade

Nikhila — Wed, 28 Feb 2018 23:28:33 GMT

Hi,

Even we are encountering similar errors as explained by matt.

Till yesterday, all our payments went through and from today, i.e 28 Feb 2018, we arent getting response from authorize.net.

Re: End point confirmation for TLS 1.2 upgrade

JevinInc — Wed, 28 Feb 2018 23:36:40 GMT

Does anyone have a resolution for this? We haven't been able to process payments all day. All auth.net does is send and resend us the TLS upgrade document. We have verified that we are using 1.2 and have removed all other versions from the servers and from the registry.

Re: End point confirmation for TLS 1.2 upgrade

RichardH — Wed, 28 Feb 2018 23:41:26 GMT

Have you compared the ciphers you are attempting to use with those configured for the endpoint you are using? Use the SSL Lab Report and compare the list of ciphers with those configured for your server.

Also, another suggestion is to try moving from the akamai to non-akamai endpoint.

Richard

Re: End point confirmation for TLS 1.2 upgrade

JevinInc — Wed, 28 Feb 2018 23:54:20 GMT

Is someone from auth.net going to step out of the shadows to address this issue? I talked with the server techs at our hosting company and they said it is a global issue for all of the sites they host. they have been working on the issue all day and have made no progress because of the lack of help from auth.net