cancel
Showing results for 
Search instead for 
Did you mean: 

POODLE Internet Security Issue

RichardH
Administrator Administrator
Administrator
38 REPLIES 38

The planned SSLv3 deprecation is complete. For more info, please visit our FAQs at http://www.authorize.net/support/poodlefaqs/

 

Richard

RichardH
Administrator Administrator
Administrator

We have noticed some merchants have applied POODLE fixes asymmetrically.

For example, the server may have SSLv3 disabled, but the code may attempt to force SSLv3 anyway, causing connection issues.

Similar connections issues may occur if you try to force TLS 1.2 without ensuring your server can support TLS 1.2.

As a best practice, we recommend not forcing TLS or SSL in code, and letting the server use its defaults, which typically have the strongest security features. If you must force a security protocol, TLS 1.2 is recommended, but in general you may be able to force TLS without versioning for greater flexibility.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

We have updated our server to disable SSLv2 and SSLv3 and only use TLS1.0 but we continue to get a "Unknown Error" when posting transactions via AIM. We have tested the site/server using the Poodlescan and SSLlabs websites and they say we are good.

Can anyone shed some light? We are running Win2003 Server Enterprise Edition with ColdFusion as the programming language.

webspinners
Member

Which version of ColdFusion does your server use? And are you willing to share the code that connects to our API?

While I await your answer I will research whether there are ways to force ColdFusion to use TLS, or whether there is a specific version that you must use.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

One other thing: Which ciphers are supported by your server? For that matter, would you be willing to share an SSL Labs report for the server, or an equivalent?

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

We're having problems as well connecting to secure.authorize.net.  Our site is running on IIS 6.0 with ColdFusion 5.  I've run the SSL labs tool against our server and secure.authorize.net, and  the only difference that I can see is that ours has an SHA2 certificate.  Would that be a problem?  We've been getting a Connection Failure response ever since Nov 4.

SHA2 shouldn't be a factor, but it's entirely possible there is an element in your code that is attempting to use SSLv3. Is your installation pure ColdFusion? Or does it connect to us using something like cURL or Java?

Also, would you be willing to share your SSL Labs report with us?

--
"Move fast and break things," out. "Move carefully and fix what you break," in.
Lilith
Administrator Administrator
Administrator

Pure ColdFusion.

I can share our SSL Labs report.  How would you like me to share it?

 

We're having issues connecting via TLS 1.0 (even though authorize.net says it will work).  Our ssllabs report is actually better than authorize.net's and it still won't connect.  Could this be the problem in your case?