We have noticed some merchants have applied POODLE fixes asymmetrically.
For example, the server may have SSLv3 disabled, but the code may attempt to force SSLv3 anyway, causing connection issues.
Similar connections issues may occur if you try to force TLS 1.2 without ensuring your server can support TLS 1.2.
As a best practice, we recommend not forcing TLS or SSL in code, and letting the server use its defaults, which typically have the strongest security features. If you must force a security protocol, TLS 1.2 is recommended, but in general you may be able to force TLS without versioning for greater flexibility.
We have updated our server to disable SSLv2 and SSLv3 and only use TLS1.0 but we continue to get a "Unknown Error" when posting transactions via AIM. We have tested the site/server using the Poodlescan and SSLlabs websites and they say we are good.
Can anyone shed some light? We are running Win2003 Server Enterprise Edition with ColdFusion as the programming language.
Which version of ColdFusion does your server use? And are you willing to share the code that connects to our API?
While I await your answer I will research whether there are ways to force ColdFusion to use TLS, or whether there is a specific version that you must use.
One other thing: Which ciphers are supported by your server? For that matter, would you be willing to share an SSL Labs report for the server, or an equivalent?
We're having problems as well connecting to secure.authorize.net. Our site is running on IIS 6.0 with ColdFusion 5. I've run the SSL labs tool against our server and secure.authorize.net, and the only difference that I can see is that ours has an SHA2 certificate. Would that be a problem? We've been getting a Connection Failure response ever since Nov 4.
SHA2 shouldn't be a factor, but it's entirely possible there is an element in your code that is attempting to use SSLv3. Is your installation pure ColdFusion? Or does it connect to us using something like cURL or Java?
Also, would you be willing to share your SSL Labs report with us?
We're having issues connecting via TLS 1.0 (even though authorize.net says it will work). Our ssllabs report is actually better than authorize.net's and it still won't connect. Could this be the problem in your case?