cancel
Showing results for 
Search instead for 
Did you mean: 

Relay Response not getting hit. SHA2 certificates and Authorize.net suspect

Does anyone know if Authorize.net accepts the newer SHA2 encryption? Our production servers which use this type of certificate do not receive the RelayResponse.

 

We found an article on SHA2 encryption issues with WIN2003 servers KB968730. We know Authorize.net uses Win 2003 servers based on http headers, which tell us IIS6.0.

evoDev
Member
21 REPLIES 21

I would recommend in the short term to have your certificate re-issued.

 

Richard

Just adding to the list, I'm also having Relay Response failures with a SHA-2 Cert created by GoDaddy. Seeing if I can downgrade it to SHA-1 for now...

Aha.  I'm glad to have stumbled across this post.

 

We were hit by this recently when updating our expiring SSL certificate.  The thing that is odd is that some of the charges/relay responses go through correctly, somewhere around 3-5%.  That doesn't make any sense to me unless there is a round-robin-type server that has one correctly configured server, and other broken ones.

 

I'll check if I can get an SHA1 certificate issued, but I think at minimum you should put it in your FAQ that your servers dont' work with current SSL certificates, and to recommend finding a provider that will issue the older style, if such places exist.

 

What is the ETA for applying the published hotfix for this problem?

jondaley
Contributor

My ssl provider no longer issues SHA1 certificates except for 1 year, 1 domain certificates, which that isn't what I'm using.

 

Apparently, they also automatically publish revocation lists so my old certificate might not work for everyone, though it appears that it is okay.

 

Note that Microsoft says SHA1 certificates aren't secure, and people shouldn't be using them.

 

http://www.infoq.com/news/2013/11/SHA-1

 

Please update your systems as soon as you can, as we'll have to use manual credit card entering/verification until you do.

Here is someone who has spent some time on the phone with authorize.net, which is where I was headed next, but it sounds like it didn't get anywhere.

 

http://stackoverflow.com/questions/21390144/authorize-net-dpm-fails-with-an-sha-256-ssl-cert

 

If I turn off SSL on the relay response, are there security issues there?  Hackers would have to be able to guess the correct transaction ids to be able to post information to that URL, and they are all one-time use ids, right?  So, even if a hacker sniffed the connection, he couldn't do anything bad?  Is that a reasonable solution?

Email customer support tells me that turning off SSL for the relay response request is a perfectly fine solution.

 

Developers are "actively working on a fix", so hopefully, they'll post here once they've applied the hotfix from microsoft.

I've confirmed that authorize.net reports a "script timed out" issue when there are SSL parsing problems.  It would be nice if that error message could be changed - if you search on these forums for "script timed out" you will find self-signed certificate errors, namevirtualhost configuration issues, etc.  It would save a lot of frustration and support time if the error "script timed out" only happened after a time out.

 

I noticed that the "script timed out" error happens immediately when there is a SSL certificate issue.

 

I've gotten zencart to not send an ssl URL in the x_relay_URL but zencart uses a 302 response in their default relay_URL, which goes to an SSL encrypted page, so authorize.net still barfs on it.

 

One good way to prove that it is authorize.net's fault is by turning off the on-site credit card processing - the credit card is then charged by authorize.net, but the redirect back to the site fails instantly because it can't parse the SSL certificate.

 

I'm going to look into hacking zencart's code into not using SSL on the response, but I don't think there is going to be a secure way to do that, because if the credit card validation fails, we'll end up with a non-ssl page to type in the credit card number on, and I don't know if I can hack zencart into being smart enough to redirect correctly.

 

I wonder if I did the redirect in javascript, to take authorize.net broken parser out of the picture, if that would work.

 

It would be really nice to have authorize update their servers (and its sort of scary that they don't keep their microsoft servers up-to-date - surely there have been security issues in the last 9 months that weren't applied to these servers?)

jondaley
Contributor

Hello @jondaley:

 

A solution for the SHA2 certificate issue is currently moving through our rigorous QA process.  I'll post an update when it releases to the sandbox and production.

 

Richard

Great - glad to get a response.  Do you have any sort of guess about the timeline - like a couple days, a couple weeks, a couple months?

... Coming Soon :smileyhappy:

 

It will not be months, but I don't have better information than that.

 

Richard