- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
POODLE Internet Security Issue
Thread for follow-up questions related to POODLE blog post at http://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/Important-POODLE-Inform...
11-04-2014 12:27 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The planned SSLv3 deprecation is complete. For more info, please visit our FAQs at http://www.authorize.net/support/poodlefaqs/
Richard
11-04-2014 05:17 PM - edited 11-04-2014 05:20 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have noticed some merchants have applied POODLE fixes asymmetrically.
For example, the server may have SSLv3 disabled, but the code may attempt to force SSLv3 anyway, causing connection issues.
Similar connections issues may occur if you try to force TLS 1.2 without ensuring your server can support TLS 1.2.
As a best practice, we recommend not forcing TLS or SSL in code, and letting the server use its defaults, which typically have the strongest security features. If you must force a security protocol, TLS 1.2 is recommended, but in general you may be able to force TLS without versioning for greater flexibility.
"Move fast and break things," out. "Move carefully and fix what you break," in.
11-05-2014 03:17 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have updated our server to disable SSLv2 and SSLv3 and only use TLS1.0 but we continue to get a "Unknown Error" when posting transactions via AIM. We have tested the site/server using the Poodlescan and SSLlabs websites and they say we are good.
Can anyone shed some light? We are running Win2003 Server Enterprise Edition with ColdFusion as the programming language.
11-06-2014 07:54 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which version of ColdFusion does your server use? And are you willing to share the code that connects to our API?
While I await your answer I will research whether there are ways to force ColdFusion to use TLS, or whether there is a specific version that you must use.
"Move fast and break things," out. "Move carefully and fix what you break," in.
11-06-2014 07:04 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One other thing: Which ciphers are supported by your server? For that matter, would you be willing to share an SSL Labs report for the server, or an equivalent?
"Move fast and break things," out. "Move carefully and fix what you break," in.
11-06-2014 07:15 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We're having problems as well connecting to secure.authorize.net. Our site is running on IIS 6.0 with ColdFusion 5. I've run the SSL labs tool against our server and secure.authorize.net, and the only difference that I can see is that ours has an SHA2 certificate. Would that be a problem? We've been getting a Connection Failure response ever since Nov 4.
11-07-2014 08:36 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SHA2 shouldn't be a factor, but it's entirely possible there is an element in your code that is attempting to use SSLv3. Is your installation pure ColdFusion? Or does it connect to us using something like cURL or Java?
Also, would you be willing to share your SSL Labs report with us?
"Move fast and break things," out. "Move carefully and fix what you break," in.
11-07-2014 08:39 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pure ColdFusion.
I can share our SSL Labs report. How would you like me to share it?
11-07-2014 09:22 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We're having issues connecting via TLS 1.0 (even though authorize.net says it will work). Our ssllabs report is actually better than authorize.net's and it still won't connect. Could this be the problem in your case?
11-07-2014 09:31 AM