cancel
Showing results for 
Search instead for 
Did you mean: 

Questions about upcoming updates and Magento.

Hello all, I have a few questions about the upcoming updates and my Magento server and would appreciate any info before I make changes. 

 

We are running Magento 1.6.2 and are using the built in Auth.net section of the admin. We have been up and running successfully now with Auth.net for 4 or 5 years and currently have no connection issues.

 

I am running the Authorize and Capture option and still using theold  https://secure.authorize.net/gateway/transact.dll url. 

 

My first question pertains to the Akamai update and which url to use. I'm assuming i need the https://secure2.authorize.net/gateway/transact.dll url correct?   Would there be that big of a risk changing this on the live server and Saving it?  We run a dedicated server on Host Gator so we should have no firewall restraints or anything like that that I would know of. 

 

 

The next question is about the upcoming Sept 21st  SHA-2 update.

 

If I'm reading everything correctly and understanding it, secure.authorize.net was switched over in May and api.autho.net is switching on Sept. 21.  

 

Looking at the url that I use in my magento install, I assume that I fall under the May update which has already happened therefore, since Im having no connection issues I am good to go... is this thinking correct? or do I still need to worry about the Sept. 21 update?

 

The other thing I am unclear about, because of my lack of knowlege with SSL Certs etc. is in order for this new SHA-2 connection to work between my website and Auth.net is it that these certificates have to be installed on my actual server? or does this have anything to do with the SSL cert that we run on our Magento domain for our secure shopping cart.. which at this time is still only a SHA-1 cert. 

 

I really appreciate any help anyone can give me on this.. 

 

I feel like I'm good to go on the SHA-2 update and all i need to do is change out to the Akamai url and all will be good.. but I wanted to run this by everyone because I kinda had this dumped on me and want to make sure I dont wake up on Sept 21 and have a broken connection.. 

 

Thank you very much.

 

Rob J.

cup1d1nt
Member
3 REPLIES 3

Hello @cup1d1nt

It's been a while since this was first posted. I would recommend subscribing to this topic so that you'll be alerted via email if anyone from the community is able to respond with any comments. To subscribe, click Topic Options at the top of this thread and then select Subscribe. You'll then receive an email once anyone replies.

Thanks,

Richard

RichardH
Administrator Administrator
Administrator

Hi Rob, I had the same question and after a bit of research, I couldn't seem to find any information specific to the built-in Magento installation. I went ahead and changed the Gateway URL to https://secure2.authorize.net/gateway/transact.dll, flushed the cache, and tested it with a live transaction and it still worked. (We use 1.4.0.1)

Hope this helps,

Jeanine

satinflame
Member

@satinflame Thank you for the comment. It's good to know that the switched URL has had no impact to your Magento solution.

For the sake of clarifying the SHA-2 issue: The concern was that, when we updated our domain certificates to use SHA-2 signatures, some older platforms would not be able to verify the signatures. Most modern platforms, however, support SHA-2 just fine.

 

There shouldn't be any concern with connections to the Authorize.Net API if your own domain certificate still uses SHA-1, although this is not a best practice. If you initialize a connection with our servers, your connection would verify our domain certificate to confirm it is safe to secure the connection.

We would only need to connect to your server, and validate your domain certificate, if you are using Relay Response or Silent Post to gather transaction data with an HTTPS URL. At this point we should not be refusing Relay Response or Silent Post connections due to SHA-1 certificates.

That said, if your domain certificate uses SHA-1, you should update it at your earliest opportunity, as more and more browsers and servers will begin to treat SHA-1 certificates as insecure.

EnTrust has a FAQ on SHA-1 versus SHA-2 which might help clarify the issue:

https://www.entrust.com/lp/sha-1-sha-2-faq/

 

--
"Move fast and break things," out. "Move carefully and fix what you break," in.