topic Re: TLS 1.2 test - PHP CURL error 1407742E when submitting request to sandbox in Integration and Testing

TLS 1.2 test - PHP CURL error 1407742E when submitting request to sandbox

jsargent3840 — Thu, 08 Feb 2018 20:54:39 GMT

Hi,

I'm getting a PHP CURL error when submitting a test transaction to my sandbox account at https://test.authorize.net/gateway/transact.dll. The error is:

1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

Does this mean that the version of CURL on the server is not configured to work properly with TLS 1.2? From what I can tell from the PHP Info, the CURL version is 7.36.0 and SSL Version is OpenSSL/0.9.8. PHP version is 5.4.32.

Test code looks like below:

<?php

$url = 'https://test.authorize.net/gateway/transact.dll';

$ch = curl_init( $url );
curl_setopt( $ch, CURLOPT_POST, true);
curl_setopt( $ch, CURLOPT_POSTFIELDS, $vPostData);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt( $ch, CURLOPT_VERBOSE, true);
$response = curl_exec( $ch );
if ($response === false) {
echo "curl_exec failed<br />";
trigger_error(curl_error($ch));
} else {
echo "response: " . $response;
}
curl_close($ch);

Thanks!

Re: TLS 1.2 test - PHP CURL error 1407742E when submitting request to sandbox

NexusSoftware — Fri, 09 Feb 2018 10:19:54 GMT

OpenSSL 0.9.8 does not support TLS 1.2. Painting with a broad brush, TLS 1.2 first appeared in OpenSSL 1.0.1.

Re: TLS 1.2 test - PHP CURL error 1407742E when submitting request to sandbox

jsargent3840 — Wed, 14 Feb 2018 15:53:01 GMT

Thank you for the information. It would appear we have no PHP solutions that work on the server we are working with. Unfortunately the site is on a hosted server so we are unable to install updates. However, I did discover a sample ASP script that seems to work so we will go with that.

Re: TLS 1.2 test - PHP CURL error 1407742E when submitting request to sandbox

Aaron_Actual — Wed, 14 Feb 2018 17:33:45 GMT

While it seems like you've found a solution, think seriously about whether you want to continue giving business to a hosting provider who thinks so little of security that they'd force you into a set of software that old. There's been many security holes found in just PHP alone since then.

There's no way a solution built on top of that provider's PHP installation is going to be PCI compliant, and I'd suspect the same is true about anything using ASP on that provider as well.