API Endpoints XML - Sandbox Works, Production Does Not

ryantmoore — Thu, 21 Feb 2019 22:47:20 GMT

Hi,

I am having an issue with Sandbox working everytime and Production failing every time.

For Sandbox I use the following code in php:

<?php
$xmlContent = '<createTransactionRequest xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd">
<merchantAuthentication>
<name>327zFYy6</name>
<transactionKey>7A66szz53F6N67YK</transactionKey>
</merchantAuthentication>
<transactionRequest>
<transactionType>authCaptureTransaction</transactionType>
<amount>2.70</amount>
<payment>
<creditCard>
<cardNumber>xxxxxxxxxxxxxxxx</cardNumber> I used a real credit card
<expirationDate>1119</expirationDate>
<cardCode>002</cardCode>
</creditCard>
</payment>
<customer>
<id>Ryan Moore</id>
</customer>
<billTo>
<firstName>Ryan</firstName>
<lastName>Moore</lastName>
<address>3780 Rosin Court</address>
<city>Sacramento</city>
<state>CA</state>
<zip>95834</zip>
<country>USA</country>
</billTo>
<transactionSettings>
</transactionSettings>
</transactionRequest>
</createTransactionRequest>';

$url = 'https://apitest.authorize.net/xml/v1/request.api';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: text/xml'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt($ch, CURLOPT_POSTFIELDS, $xmlContent);
$result = curl_exec($ch);

//echo "<pre> Result Array: ";
//print_r($result);
//echo "<pre>";

echo "Result: " . $result . " ";
echo " ";

$err_status = curl_error($ch);
echo "Err Status: " . $err_status . " ";
curl_close($ch);

echo "URL: " . $url . " ";
$curl_info = curl_version();
echo "SSL: " . $curl_info['ssl_version'] . " ";

$ch = curl_init('https://www.howsmyssl.com/a/check');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$data = curl_exec($ch);
curl_close($ch);

$json = json_decode($data);
echo "TLS: " . $json->tls_version ." ";
?>

I get:

Result: OkI00001Successful. 1FQ6V8EYP2400256621287ECA7D1F270049DF9846976B8B3F5A3F0XXXX0027MasterCard1This transaction has been approved.

Err Status:
URL: https://apitest.authorize.net/xml/v1/request.api
SSL: OpenSSL/1.0.2m
TLS: TLS 1.2

----------------------------------------------------------------------------------------------

For Production I changed only the following three lines. I used my live 11 digit account id and live transaction key. I changed from apitest to api for the url.

<name>xxxxxxxxxxx</name>
<transactionKey>xxxxxxxxxxxxxxxx</transactionKey>

$url = 'https://api.authorize.net/xml/v1/request.api';

I get:

Result:

Err Status: OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to api.authorize.net:443
URL: https://api.authorize.net/xml/v1/request.api
SSL: OpenSSL/1.0.2m
TLS: TLS 1.2

Re: API Endpoints XML - Sandbox Works, Production Does Not

ElaineM — Thu, 07 Mar 2019 08:15:24 GMT

Hi ryantmoore,

This sounds like a cert or OpenSSL issue, based on what you are describing, but I'm including some basic server configuration best practices advisements below as well.

If you are using a PHP SDK, make sure you are using the most recent version found at https://github.com/AuthorizeNet/sdk-php, or at least the most recent version of the cert.pem file found in the PHP SDK.

What are the current Best Practices that should follow for browser and/or setting up a new server-to-server that relies on TLS to secure the connection?

Only TLS 1.2 should be used. Earlier versions are no longer supported. With TLS 1.2 protocol, any modern cipher suites maybe used to initiate the secure handshake but there are some preferred configurations:

ECDHE and AESGCM ciphers are preferred.
Perfect Forward Secrecy (PFS) cipher suites are preferred but not required.
Keyed hash functions must be used with either SHA-2 or SHA-3. SHA-1-based functions are not allowed.
Authenticated encryption modes (e.g. AES GCM, ChaCha20-Poly 1305) modes must be preferred first over other AES modes (e.g. AES-CBC).

For browsers using modern/up-to-date browsers that support TLS 1.2 is required. It is recommend to have auto update enabled to ensure your browser is kept up-to-date. It is also recommend to keep your Operating System (OS) patched and up-to-date with patches and security fixes.

How can I find out what protocols and ciphers Authorize.Net currently supports?

For cipher support ECDHE and AESGCM are preferred, SHA-1 ciphers will be not be supported as of 01/15/2019. For a full list/report SSL Labs report can be run to see and verify TLS version and ciphers supported. Please see below for a matrix of reports available, by API endpoint and environment.

I hope this information is helpful.

Thank you,

Elaine

topic API Endpoints XML - Sandbox Works, Production Does Not in Integration and Testing

API Endpoints XML - Sandbox Works, Production Does Not

Re: API Endpoints XML - Sandbox Works, Production Does Not