Thread for follow-up questions related to POODLE blog post at http://community.developer.authorize.net/t5/The-Authorize-Net-Developer-Blog/Important-POODLE-Inform...
โ11-04-2014 12:27 PM
The planned SSLv3 deprecation is complete. For more info, please visit our FAQs at http://www.authorize.net/support/poodlefaqs/
Richard
โ11-04-2014 05:17 PM - edited โ11-04-2014 05:20 PM
We have noticed some merchants have applied POODLE fixes asymmetrically.
For example, the server may have SSLv3 disabled, but the code may attempt to force SSLv3 anyway, causing connection issues.
Similar connections issues may occur if you try to force TLS 1.2 without ensuring your server can support TLS 1.2.
As a best practice, we recommend not forcing TLS or SSL in code, and letting the server use its defaults, which typically have the strongest security features. If you must force a security protocol, TLS 1.2 is recommended, but in general you may be able to force TLS without versioning for greater flexibility.
โ11-05-2014 03:17 PM
We have updated our server to disable SSLv2 and SSLv3 and only use TLS1.0 but we continue to get a "Unknown Error" when posting transactions via AIM. We have tested the site/server using the Poodlescan and SSLlabs websites and they say we are good.
Can anyone shed some light? We are running Win2003 Server Enterprise Edition with ColdFusion as the programming language.
โ11-06-2014 07:54 AM
Which version of ColdFusion does your server use? And are you willing to share the code that connects to our API?
While I await your answer I will research whether there are ways to force ColdFusion to use TLS, or whether there is a specific version that you must use.
โ11-06-2014 07:04 PM
One other thing: Which ciphers are supported by your server? For that matter, would you be willing to share an SSL Labs report for the server, or an equivalent?
โ11-06-2014 07:15 PM
We're having problems as well connecting to secure.authorize.net. Our site is running on IIS 6.0 with ColdFusion 5. I've run the SSL labs tool against our server and secure.authorize.net, and the only difference that I can see is that ours has an SHA2 certificate. Would that be a problem? We've been getting a Connection Failure response ever since Nov 4.
โ11-07-2014 08:36 AM
SHA2 shouldn't be a factor, but it's entirely possible there is an element in your code that is attempting to use SSLv3. Is your installation pure ColdFusion? Or does it connect to us using something like cURL or Java?
Also, would you be willing to share your SSL Labs report with us?
โ11-07-2014 08:39 AM
Pure ColdFusion.
I can share our SSL Labs report. How would you like me to share it?
โ11-07-2014 09:22 AM
We're having issues connecting via TLS 1.0 (even though authorize.net says it will work). Our ssllabs report is actually better than authorize.net's and it still won't connect. Could this be the problem in your case?
โ11-07-2014 09:31 AM