Cybersource Developer Community Cybersource Developer Community

gmarlett · ‎06-03-2014

The CIM API is timing out for us. Is anyone else having this issue or is it just us?

Lilith · ‎06-03-2014

@bbot: I believe there is a directive in httpd.conf, SSLProtocol, where you can force this. As our servers currently support SSL v3 and TLS 1.0, you'd use "SSLProtocol +SSLv3 +TLSv1". The directive is better documented at http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol so you may want to reference against that. Also, you may want to check your code base in case there is a call to the SSLProtocol directive that supercedes what is in httpd.conf.

@gmarlett: The original plan was to make the same changes in our new Production environment which isn't yet taking API traffic. I'm keeping our management and development teams informed so we can determine the best way to phase this in with minimal impact. Good to hear that upgrading to OpenSSL 1.0.1g fixed the issue in Sandbox.

@lethjakman: I suspect you have a persistent connection to the Transact servers in Sandbox, so you wouldn't see the change until you reconnected.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

Lilith · ‎06-03-2014

@lethjakman: Which SSL protocols are enabled in httpd.conf currently?

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

bbot · ‎06-03-2014

Adding:

curl_setopt($curl_request, CURLOPT_SSLVERSION, 3);

To line 93 of AuthorizeNetRequest.php in the PHP API fixed the problem. Thank you for your help.

gmarlett · ‎06-03-2014

I quickly tested our production server with the sandbox (it's not really in production yet). It is using openssl-1.0.1e-16.el6_5.7.x86_64. It did not have the problem.

Lilith · ‎06-03-2014

@gmarlett: Which protocols are configured on that 1.0.1e setup?

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

peter · ‎06-03-2014

I tried changing httpd.conf to foce SSLv3 and TLS 1 but it didn't work.

gmarlett · ‎06-03-2014

This is in the ssl.conf file (I want to reiterate that this *is* working with the Sandbox)

# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# enable only secure ciphers:
SSLCipherSuite HIGH:MEDIUM:!ADH
# Use this instead if you want to allow cipher upgrades via SGC facility.
# In this case you also have to use something like
# SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
# see http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.en#upgradeenc
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2

Lilith · ‎06-03-2014

@peter: Which version of OpenSSL are you using? And which ciphers are enabled?

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

lethjakman · ‎06-03-2014

I'm currently using nginx with rails. I don't believe I have an httpd.conf. No? Weird thing is...they'd all be running exactly the same one if there were one. I'm just using Phusion Passenger with "passenger start"

peter · ‎06-03-2014

Server Type: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips mod_bwlimited/1.4

ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH

Cybersource Developer Community Cybersource Developer Community

SSL Timeout Connecting to Sandbox