cancel
Showing results for 
Search instead for 
Did you mean: 

POODLE Internet Security Issue

RichardH
Administrator Administrator
Administrator
37 REPLIES 37

@bwalleshauser Could you send us the Wireshark logs, please? I'd like to look those over.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

For everyone who wants to share their SSL Labs report--all I need is either the hostname of the server handling your API requests, or you can run the report and provide the URL to that.

As an example, here's the SSL Labs report for secure.authorize.net: https://www.ssllabs.com/ssltest/analyze.html?d=secure.authorize.net

One of the things I'm checking is to see whether anyone reporting issues has ciphers in common with us. There needs to be at least one common cipher for TLS to be able to encrypt the data. More ciphers in common, especially strong ciphers, are better.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.
Lilith
Administrator Administrator
Administrator

FYI - our server is now communicating with Authorize.net - CF 5 on Windows 2003 Server R2.  I had to switch from a CFHTTP call to a Microsoft XMLHTTP and XMLDOM object which gets sent as an XML request to api.authorize.net.

 

Instead of passing form fields via cfhttpparam, you will need to build an XML string with all the required XML data, pass that to Authorize.net, and then parse the returned XML response.  This method has been working successfully since Monday.

 

I will be happy to share code with anyone having the same CFHTTP connection failure with CF5 on Server 2003.

 

-Judy

Thanks for the info Judy.

We are in the process of changing to use SIM to get merchants running again. Some are good now with that and we have a couple other WebApps to still make SIM an option. I don't want to go through this again in a couple months when AuthNet stops supporting TLS1.0 forcing an upgrade to 20012 server and CF11 or something!

We played with using a ASP or PHP page to replace our AuthNetAIM.cfm connector but it would require as much work  on the return and update/process invoices/orders paid as it would for SIM. And we don't have to worry about SIM breaking when they stop TLS1.0 support!

I read some people having problems with SIM but we have been successful using CF5 and posting some or most of the secure billing info we would normally collect on our secure sites.

 

-Michael

@webspinners I sincerely doubt we're going to disable it in a couple of months, unless there is a serious and well-publicized security issue with TLS 1.0 on the scale of POODLE.

 

While I can't rule out that possibility, it's more likely that TLS 1.0 will be around for the immediate future.

Nonetheless, with the already known security issues with TLS 1.0, it's best to avoid it when possible. Using SIM is certainly one way to approach that.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

@jms Could you send me the code, please? Or else post it here, so I can link to it if anyone else reports CF 2005 issues? Thanks!

--
"Move fast and break things," out. "Move carefully and fix what you break," in.
Lilith
Administrator Administrator
Administrator

Sure - here it is - for authCaptureTransaction types.  It can be easily modified for any transaction type.

The response comes back in XML format, which then needs to be parsed in order to extract the data.

 

<cfoutput>
<cfsavecontent variable="strXMLRequest">
<?xml version='1.0' ?>
<createTransactionRequest xmlns="AnetApi/xml/v1/schema/AnetApiSchema.xsd">
<merchantAuthentication>
<name>#apiloginid#</name>
<transactionKey>#transactionkey#</transactionKey>
</merchantAuthentication>
<refId>#invoice_number#</refId>
<transactionRequest>
<transactionType>authCaptureTransaction</transactionType>
<amount>#amount#</amount>
<payment>
<creditCard>
<cardNumber>#card_num#</cardNumber>
<expirationDate>#exp_date#</expirationDate>
<cardCode>#card_code#</cardCode>
</creditCard>
</payment>
<tax>
<amount>#taxamount#</amount>
<name>#state#</name>
<description>#state# State Tax</description>
</tax>
<customer>
<id>#cust_id#</id>
<email>#customeremail#</email>
</customer>
<transactionSettings>
<setting>
<settingName>testRequest</settingName>
<settingValue>false</settingValue>
</setting>
</transactionSettings>
</transactionRequest>
</createTransactionRequest>
</cfsavecontent>
<cfset strXMLRequest = trim(strXMLRequest)>

<!--- Create the Microsft.XMLHTTP object to handle sending the XML data to the Web Service --->
<cftry>
<cfobject action="connect" class="Microsoft.XMLHTTP" name="objXMLHTTP" type="com">
<cfcatch type="any">
<cfobject action="create" class="Microsoft.XMLHTTP" name="objXMLHTTP" type="com">
</cfcatch>
</cftry>

<!--- Create the Microsft.XMLDom object to handle sending the XML data to the Web Service --->
<cftry>
<cfobject action="connect" class="Microsoft.XMLDOM" name="objXMLDOM" type="com">
<cfcatch type="any">
<cfobject action="create" class="Microsoft.XMLDOM" name="objXMLDOM" type="com">
</cfcatch>
</cftry>

<!--- Setup the XMLHTTP object and send the soap request --->
<cfset objXMLHTTP.Open("POST", "https://api.authorize.net/xml/v1/request.api", false)>
<cfset objXMLHTTP.setRequestHeader("Accept", "application/xml, text/xml, */*")>
<cfset objXMLHTTP.setRequestHeader("Content-Type", "text/xml; charset=utf-8")>
<cfset objXMLHTTP.send(strXMLRequest)>

<!--- Load the XML returned from the web service --->
<cfset objXMLDOM.async = false>
<cfset objXMLDOM.loadXML(objXMLHTTP.responseText)>

<!--- Output response --->
#objXMLHTTP.responseText#
</cfoutput>

 

-Judy

Thank you, Judy, I really hope this helps others with similar ColdFusion issues.

 

I note that ColdFusion is dependent on the Java Runtime Environment, but it also sounds like you'd have to upgrade both ColdFusion and the JRE together--CF8 needs Java 1.6 or older, while CF9 and CF10 can run on Java 1.7.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.
Lilith
Administrator Administrator
Administrator

 Hello Jms,

 

We are currently having this same issue our customer did not update us on this was going to happen til everything stopped working.

 

We are having extreme issues getting this to work still and was wondering if you would be interested in contact us so we can pick your brain really quick.

 

This would be of great help.

 

Thomas Nichols

To All:

 

I'm a Senior Developer/ Systems Administrator and I specialize with ColdFusion.  I've blogged about CFHTTP and SSL issues regularly. I have several developent servers that I can work with to test an option for ColdFuision 8 and older versions that run on JDK 1.6.  We too have a client that is having issues with connecting via CFHTTP on CF8.0.1 and JDK 1.6.0_45.  I would like to try importing updated Root CA Certs into the Java keystore to see if that helps with some issues. 

 

Please respond if you are will to work with me a bit. I can handle all the code Java keystore imports etc. I jsut need the public CA Root cert.  

 

Regards,

Wil Genovese 

Sr. Web Application Developer/

Systems Administrator 

 

CF Webtools