topic Re: Adjusting code and server settings to communicate with gateway after SHA-1 removal in Integration and Testing

Adjusting code and server settings to communicate with gateway after SHA-1 removal

ym — Tue, 04 Dec 2018 22:01:01 GMT

My PHP website is currently using the Accept Hosted solution for payments. After removal of SHA-1 ciphers from sandbox on 11/06/2018 the site can no longer communicate to sandbox (no issue with production gateway so far). I get the following error:

Access Denied

You don't have permission to access "http://test.authorize.net/payment/payment"

Reference #18.4594dc17.1543959284.3a3ed3f9

I understad this is most likely happening due to cipher removal in sandbox, however, I am unsure what needs to be done in order to solve this problem. The code I am using looks somewhat like this:

$ch = curl_init('https://test.authorize.net/payment/payment');

curl_setopt($ch, CURLOPT_HEADER, 0);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS, $request_xml); //this variable holds getHostedPaymentPageRequest XML

$response = curl_exec($ch);

curl_close($ch);

I am using RHEL 7 server.

OpenSSL 1.0.2

curl 7.29.0

Apache 2.4.6

PHP 5.4.16

I've researched different solutions, but so far didn't find one that works. Can anyone point me in the right direction? What needs to be changed in the code and/or updated on the server in order to get this to work?

Re: Adjusting code and server settings to communicate with gateway after SHA-1 removal

ElaineM — Wed, 05 Dec 2018 22:44:26 GMT

Hi ym,

This response is identify potentially malicious data in your request, which is blocked from being submitted by our security rules. When I review the Reference # you provide, I see that specifically SQLi is being detected.

If you are not including SQLi in your request, this most commonly occurs when you are using an invalid XML version or including HTML in your request.

Please check your request for any of these items for correction. If you are unable to locate the culprit within your request, you can create a case with our support staff by forwarding the most recent error that you have received, the timestamp it occurred, your IP address, the Reference # and an example of your request data with all secure data (Transaction Key, payment data, etc) masked to https://developer.authorize.net/support/contact_us/.

Thank you,

Elaine

Re: Adjusting code and server settings to communicate with gateway after SHA-1 removal

ym — Thu, 06 Dec 2018 19:18:44 GMT

Thank you for your reply, Elaine.

I carefully checked my XML and found absolutely no issues with it. When I tried posting that XML to API live console (developer.authorize.net/api/reference), it returned me a I00001 "Successful" reponse. When that same exact code (except for credentials) is being submitted to production gateway, it works without a problem.

I guess I will contact support with my issue.

Re: Adjusting code and server settings to communicate with gateway after SHA-1 removal

ym — Mon, 10 Dec 2018 21:53:26 GMT

Just posting here to say that this issue was never solved and proved to be impossible to solve. Here’s what I tried:

1) Tried contacting Authorize.net Sandbox support. I sent them everything requested a few times. Their original response was that I have some kind of invalid scripting or HTML code in my response, which is not the case. I tested it numerous times and I am 200% sure the XML is correct. Like I mentioned before, the XML works perfectly when I submit it to API Live console (from developer.authorize.net/api/reference), but when I submit it from the site, it produces “Access denied” error.

I also copied the sample code directly from API Live Console, replaced name and transaction key with my Sandbox keys, and got the same result.

Also tried creating a very simple form on our site that takes the XML and submits it to the sandbox gateway. No matter what I tried, it gives access denied error.

Finally, I tried using PHP sample code for Authorize.net SDK, used my login and transaction key, and still got “access denied” error.

Oddly enough, it occasionally produces “Missing or invalid token” error.

2) I then tried checking my server configuration. Everything is correct. I also consulted out dedicated server support and they confirmed everything is good and up to date.

3) Tried doing it from a different IP, used different browsers to no luck.

4) Tried creating another sandbox account and repeating all steps above – no luck.

The only way to get it to work is to switch to production gateway and use production login and transaction key.

At this point I am just giving up, as I have to work on other projects. I guess Sandbox is no longer an option. Hopefully the production gateway won’t stop working like that in the future.