topic Re: TLS 1.2 Issue - in Classic ASP environment in Integration and Testing

TLS 1.2 Issue - in Classic ASP environment

snooper — Tue, 09 May 2017 07:37:04 GMT

I manage a few sites that still use Classic ASP.

The method of connection is via a MSXML2 component pointing to https://secure.authorize.net/gateway/transact.dll

Is there a simple change i can make in this code somewhere (see below), to test via the sandbox, and see if the server is TLS 1.2 compliant?

Thanks!

[code]

set objHttp = server.Createobject("MSXML2.ServerXMLHTTP")
if err.number <> 0 then
    Response.write(err.Description)
    response.End()
end if
'on error goto 0

objHttp.open "POST", strPost, false
objHttp.Send strRequest

'Get response
objHttpStatus = objHttp.status
strResponse   = objHttp.responseText
set objHttp      = nothing

[/code]

Re: TLS 1.2 Issue - in Classic ASP environment

RichardH — Tue, 09 May 2017 15:50:20 GMT

Hello @snooper

Another developer asked a similar question on StackOverflow and there are several suggestions to help: http://stackoverflow.com/questions/34997849/classic-asp-outbound-tls-1-2

Richard

Re: TLS 1.2 Issue - in Classic ASP environment

NexusSoftware — Wed, 10 May 2017 10:00:02 GMT

You may not need to modify your code at all, but you may need to apply the update from :

https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1.1-and-tls-1.2-as-a-default-secure-protocols-in-winhttp-in-windows, there is also an Easy Fix on the same page that will modify your registry entries for you.

Re: TLS 1.2 Issue - in Classic ASP environment

snooper — Thu, 11 May 2017 14:58:41 GMT

@RichardH- thanks for the reponse.

You will actually see a comment of mine (kneidels) from back in November :-)

@NexusSoftware- thanks also.

Just to clarify - my setup currently works (for now...)i just want to be able to TEST with the tls1.2 version with the sandbox, while leavinjg the current setup active (meaning, probably not changing registry values etc)

is there a way to do this, in your opinion?

Thanks

Re: TLS 1.2 Issue - in Classic ASP environment

NexusSoftware — Thu, 11 May 2017 16:11:05 GMT

What version of Windows and the .Net framework is on your server?

Below is a simple test script that will return what your Schannel.dll is connecting with:

<%
Set objHttp = Server.CreateObject("MSXML2.ServerXMLHTTP.6.0")
objHttp.open "GET", "https://howsmyssl.com/a/check", False
objHttp.Send
Response.Write objHttp.responseText 
Set objHttp = Nothing 
%>

Save as testssl.asp and hit it with your browser. If it returns the with tls_version":"TLS 1.2, you are good to go.

Re: TLS 1.2 Issue - in Classic ASP environment

CapnCrinklepant — Wed, 17 May 2017 16:24:06 GMT

For us, the magic was changing all of the objects of type ("MSXML2.ServerXMLHTTP" or "MSXML2.ServerXMLHTTP.3.0") over to the newer "MSXML2.ServerXMLHTTP.6.0".

It would make intuitive sense that the one without the version number chooses the newest version, but this is NOT the case, as it in fact points to the older 3.0 version.

Re: TLS 1.2 Issue - in Classic ASP environment

wesg92 — Thu, 28 Dec 2017 20:09:53 GMT

I have a classic ASP site as well and looking for confirmation on if I need to make any changes for TLS 1.2. It's been very hard to get an answer.

Did you find a solution/answer?

Re: TLS 1.2 Issue - in Classic ASP environment

kikmak42 — Sat, 13 Jan 2018 08:19:30 GMT

Hi @wesg92

Our Sandbox endpoint https://test.authorize.net/gateway/transact.dll only supports a TLS 1.2 connections.

So, if you can test your classic ASP site with this endpoint, and everything turns out to be working fine, you can be rest assured that your integration work fine with TLS 1.2.

Hope this helps !

Re: TLS 1.2 Issue - in Classic ASP environment

tbowenwso — Thu, 01 Mar 2018 03:41:21 GMT

So I tried that script from howsmyssl.com. I tried it and it said my TSL version was 1.0. I got with my host to disable 1.0 and 1.1 and enable 1.2, per my instructions from Authorize.net. When I try to run the script now, I get an error: "An error occurred in the secure channel support"

This is the same error I get in my own code for trying to talk to Authorize.net. If I change the GET to a POST, I get the same error.

If I check my TLS version through a different site, http://ssl-checker.online-domain-tools.com/, it says that TLS 1.2 is supported, and that 1.0 and 1.1 are not supported. But like I say, I still can't POST to Authorize.net (or anywhere, it would seem). My host won't help me, saying they're not programmers. I get that, but I've tried every different ServerObject to make this POST that I've seen and none work.

Any ideas?

Thanks,

Tom

Re: TLS 1.2 Issue - in Classic ASP environment

bdf2723 — Thu, 01 Mar 2018 04:39:26 GMT

Your webserver probably needs TLS 1.0 to communicate with the database server. Have the host re-enable 1.0 and 1.1. Then have the host set the "DefaultSecureProtocols" registry keys to 0x00000800. This key will need to be added to each of these:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

On x64-based computers, DefaultSecureProtocols must also be added to the Wow6432Node path:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

You can read about this here:

https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

Re: TLS 1.2 Issue - in Classic ASP environment

tbowenwso — Thu, 01 Mar 2018 06:11:26 GMT

My host said that since I am using MySQL (instead of MSSQL), I don't need 1.0 or 1.1. And Authorize.net specifically said to disable 1.0 and 1.1. They did have 1.0 and 1.1 enabled earlier, and I was still getting the same error message.

I could try to ask them to re-enable 1.0 and 1.1, but based on what Authorize.net told me, I thought this was the cause of my problem, so I raised quite a ruckus with the host to get 1.0 and 1.1 disabled. Do you still think I need to have 1.0 and 1.1 enabled, and why would Authorize.net say that I had to have them disabled? And doesn't having them enabled make me non-PCI compliant?

Thanks,

Tom

Re: TLS 1.2 Issue - in Classic ASP environment

bdf2723 — Thu, 01 Mar 2018 07:00:17 GMT

The connection between your webserver and your database server is not the same as the connection between your shopping cart app and Authorize.net. The connection to Authorize.net must be TLS 1.2 now.

That being said, I don't know of very many Classic ASP scripts that write to MySQL databases. Can you post one of your scripts that are failing or at least the full error message that you are getting?

Try this script as well and post what it returns.

<%
Set objHttp = Server.CreateObject("WinHTTP.WinHTTPRequest.5.1")
objHttp.open "GET", "https://howsmyssl.com/a/check", False
objHttp.Send
Response.Write objHttp.responseText
Set objHttp = Nothing
%>

Re: TLS 1.2 Issue - in Classic ASP environment

tbowenwso — Thu, 01 Mar 2018 13:33:00 GMT

Yes, I was using that very script when working with the host to get TLS 1.2 enabled, and 1.0 and 1.1 disabled. When the server supported 1.0 and 1.1 (but not 1.2), the script worked fine, returning all of the XML. Now that the server ONLY supports 1.2, the script returns an error: "An error occurred in the secure channel support". That occurs at the Send line (line 4).

Most posts/sites I've seen actually say to use Server.CreateObject("MSXML2.ServerXMLHTTP.6.0") instead of Server.CreateObject("WinHTTP.WinHTTPRequest.5.1"). I've tried that too with the same results.

Interestingly, as I say, when 1.0 and 1.1 were enabled, this script worked fine, but I still got the same error in trying to POST to the authorize.net dll (with either XML object).

The code is communicating fine with the MySQL database, which is on the local host anyway. All of my issues revolve around sending the transaction data to Authorize.net. Can't do it!

Re: TLS 1.2 Issue - in Classic ASP environment

tbowenwso — Thu, 01 Mar 2018 14:03:46 GMT

If it sheds any more light on the matter, I have a simple script that only tries to post sample, valid, transaction data to Authorize.net. The script looks much like this:

<%
Dim xml, strStatus, strRetval
On Error Goto 0
Set xml = Server.CreateObject("MSXML2.ServerXMLHTTP.6.0")
xml.open "POST", "https://secure.authorize.net/gateway/transact.dll?x_login=aaaa&x_tran_key=bbbb&x_delim_data=true&x_delim_char=|&x_relay_response=false&x_first_name=cccc&x_last_name=dddd&x_address=eeee&x_city=ffff&x_state=gg&x_zip=hhhhh&x_amount=jjj&x_currency_code=&x_method=CC&x_type=AUTH_CAPTURE&x_card_num=kkkk&x_exp_date=llll&x_card_code=mmm", false
xml.send ""
strStatus = xml.Status
strRetval = xml.responseText
Response.Write "here="
Response.Write xml.responseText
Response.End
%>

(Obviously, I have replaced the sensitive data, like login info with letters aaaa, bbbb, cccc, etc. for posting to this forum, but in the actual test script, they are valid values.)

Until yesterday, this script worked fine. When Authorize.net started requring 1.2 only, it stopped working and gives the same "An error occurred in the secure channel support" error. Authorize.net told me to have TLS 1.0 and 1.1 disabled, and to make sure 1.2 is enabled. I've done that, and I still get the same error.

I've also tried using different server objects instead of "MSXML2.ServerXMLHTTP.6.0". I've tried "WinHttp.WinHttpRequest.5.1" and "MSXML2.ServerXMLHTTP" and get the same error.

I've tried "Microsoft.XMLHTTP" and "MSXML2.XMLHTTP.6.0" and still get an error, although for these two, the error is "The system cannot locate the resource specified."

All of this held true starting yesterday, before I switched the server to TLS 1.2 only, and after. But the script was working fine before yesterday (using server object "Microsoft.XMLHTTP").

I can't figure why I can't post over https to another server now. Even the other test script, the one that POSTS to howsmyssl.com, returns the same set of errors based on the Server Object I'm trying to use.

I've exhausted all ideas of what to try next. Does anyone know what's going on here?

Re: TLS 1.2 Issue - in Classic ASP environment

ezwreck1 — Thu, 01 Mar 2018 14:57:10 GMT

While I am not a developer I am a System Admin for a hosting provider , and we have been getting inquiries from customers who have been having issues connecting to authorize.net endpoints even though TLS1.0 was disabled. Apparently, you also need to force .NET to use TLS 1.2 by adding the following registry keys.

Warning

Incorrectly editing the registry might severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

Check for the registry keys first using powershell:
Get-ItemProperty -path "Registry::HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -Name SchUseStrongCrypto

Get-ItemProperty -path "Registry::HKLM\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" -Name SchUseStrongCrypto

add registry keys:

reg add "HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /d 00000001 /t REG_DWORD
reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319" /v SchUseStrongCrypto /d 00000001 /t REG_DWORD

I hope this helps.

Re: TLS 1.2 Issue - in Classic ASP environment

bdf2723 — Thu, 01 Mar 2018 15:17:50 GMT

Can you verify that you can load any page on the server from https?

If not, see if you can load a page from http. If it loads from http but not https then the problem is at the server level meaning that either your SSL certificate is bad or something in the mechanics of the server is not working properly.

What server are you using? Windows? Linux?

Re: TLS 1.2 Issue - in Classic ASP environment

tbowenwso — Thu, 01 Mar 2018 15:26:20 GMT

The pages on my site load fine over http or https. And my code interacts with my MySQL database fine too. The only problem is in trying to POST transaction data to Authorize.net over https.

I'm using a Windows VPS server hosted at LiquidWeb running Windows 2008 R2 and IIS 7.

Re: TLS 1.2 Issue - in Classic ASP environment

bdf2723 — Thu, 01 Mar 2018 15:56:02 GMT

Since you are on a 2008r2 server I am pretty sure you need these registry values set:

0x00000800

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DefaultSecureProtocols

Value: 0x00000800

On x64-based computers, DefaultSecureProtocols must also be added to the Wow6432Node path:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DefaultSecureProtocols

Value: 0x00000800

Re: TLS 1.2 Issue - in Classic ASP environment

tbowenwso — Thu, 01 Mar 2018 17:25:55 GMT

I have gone into Regedit on my server, and saw that that key was indeed not there. So I added it:

[Tried to insert a screenshot of the registry, but the forum wouldn't let me.]

I then rebooted the server just to make sure. But I'm still getting the same errors. Rats! Anyone have any other ideas?

Re: TLS 1.2 Issue - in Classic ASP environment

tbowenwso — Thu, 01 Mar 2018 17:28:04 GMT

I should say too, that I don't know if this is an x64-based computer, but there was no WOW6432NODE key at all, so I am assuming it is not. So I only added the first of those two keys.