Cybersource Developer Community Cybersource Developer Community

Have your host validate that both of these keys are created with the value of 0x00000800:

On x64-based computers, DefaultSecureProtocols must also be added to the Wow6432Node path:

- you go into detail about doing the Easy Fix, but what exactly did the Host do to actually enable TLS 1.2?  The Easy Fix (modifying those 2 registry keys) only tells your server what level to default to.  But my host had to first enable 1.2 (and because Authorize.net told me to do so, disable TLS 1.0 and 1.1).  They used IISCrypto.exe to do that, but they did it--not me.  So I don't know the full details.  I know that if I Remote Desktop in to the server (our is a VPS server), I can see that they installed IISCrypto and have a shortcut to it on the desktop.  If I run it, I can see all the different Protocols available, and only TLS 1.2 is checked--all others are unchecked.

I also was able to verify that they did it right by going to either of these two websites and entering the domain name of my website:  http://ssl-checker.online-domain-tools.com/ or https://www.ssllabs.com/ssltest/.  In both cases, the resulting report shows that TLS 1.2 is supported, and TLS 1.1, TLS 1.0, SSL 3 and SSL 2 are all not supported, which is what I wanted.

So use one of those (I think the second link gives a report that's a little easier to read) to make sure your server is indeed supporting 1.2.

Also, I will say that while your code and mine is almost identical, down to us choosing the same variable names, my code uses this line:

   Set xml = Server.CreateObject("MSXML2.ServerXMLHTTP.6.0")

instead of what you had (without the .6.0).  But I have a feeling both would work, but once you know your TLS level is correct, if things still don't work, you might try swapping out that line.

I sure hope you get back up and running (or already have).

Tom

Thank you so much for your replies.  I didn't realize until just now that you had responded.  I assumed I would receive a email notice from the forum but I did not (I even checked spam) but I should have kept checking the forum.  I apologize for not taking advantage of your advice sooner.  We are still struggling with manual billing and boy is it a struggle!

I will talk to the server administrator asap with your comments and suggestions.

Thanks,

Alexis

HI Tom,

I also wanted to reply to your point about the "set xml" line.  After initially reading this thread, I had already tried adding the 6.0 but it didn't work.  I just tested again after the server people made their changes, and I am still getting the same error message. (Again, I changed our identifying data to xxxx below.)

<%

'test_tls_030418.asp  3/4/18

'Const x_login = "xxxx"

'Const x_tran_key = "xxxx"

Dim xml, strStatus, strRetval

On Error Goto 0

Set xml = Server.CreateObject("MSXML2.ServerXMLHTTP.6.0")

xml.open "POST", "https://secure.authorize.net/gateway/transact.dll?x_login=xxxx&x_tran_key=xxxx&x_delim_data=true&x_d...", false

xml.send ""

strStatus = xml.Status

strRetval = xml.responseText

Response.Write "here="

Response.Write xml.responseText

Response.End

%>

Error message I get when running this code:

msxml6.dll error '80072f7d'

An error occurred in the secure channel support

/test_tls_030418.asp, line 11

Thanks again,

Alexis

Our server manager made the changes based on your posts as follows:

--------------------------------------

Once we updated to TLS 1.2 , the HKEY values were automatically set to xa00 which means that the server can function via TLS version 1.1 and 1.2.

The scan of the server shows that it is enabled for all tls versions.
Based on my understanding of your previous requirement for tls 1.2 what we have should be fine.

However since you are having problems with authorize.net, we have changed the registry setting to x800 (tls 1.2 only).  I have rebooted the server so please retry.

------------------------------------------

After they were done, I tested the following code on our server:

<%
'test_tls_031518B.asp  3/15/18

Set objHttp = Server.CreateObject("MSXML2.ServerXMLHTTP.6.0")
objHttp.open "GET", "https://howsmyssl.com/a/check", False
objHttp.Send
Response.Write objHttp.responseText & "<br>"
Set objHttp = Nothing
%>

But I still get the same "bad" error as before.

{"given_cipher_suites":["TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_RC4_128_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_DHE_DSS_WITH_AES_128_CBC_SHA","TLS_DHE_DSS_WITH_AES_256_CBC_SHA","TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA","TLS_RSA_WITH_RC4_128_MD5"],"ephemeral_keys_supported":true,"session_ticket_supported":true,"tls_compression_supported":false,"unknown_cipher_suite_supported":false,"beast_vuln":false,"able_to_detect_n_minus_one_splitting":true,"insecure_cipher_suites":{"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA":["uses 3DES which is vulnerable to the Sweet32 attack but was not configured as a fallback in the ciphersuite order"],"TLS_RSA_WITH_3DES_EDE_CBC_SHA":["uses 3DES which is vulnerable to the Sweet32 attack but was not configured as a fallback in the ciphersuite order"],"TLS_RSA_WITH_RC4_128_MD5":["uses RC4 which has insecure biases in its output"],"TLS_RSA_WITH_RC4_128_SHA":["uses RC4 which has insecure biases in its output"]},"tls_version":"TLS 1.0","rating":"Bad"}

I am not familiar with servers so I am just relaying your suggestions to the server people to make the changes and then relaying their responses back. I'm not sure what else to do.  I really want to get this working as our payment processing has been down since 3/1.

Thanks in advance for any help you can offer.

Alexis

Hi.  I was hoping to get some more help.  I know you are all busy but we are still trying to get our website's connection to authorize.net working.

Currently the server people have installed iiscrypto.exe and finally we were able to see the correct SSL settings on the SSL check; "No" to everything except for TLS 1.2. 

Unfortunately, though, this change broke the website.  The server people re-enabled SSL 3.0 and the website worked again, however, we still can't connect to authorize.net with SSL 3.0 enabled and showing "Yes" on the SSL settings test.  So now the SSL settings test shows "No" to everything except TLS 1.2 and SSL 3.0.  We need to find a way to disable SSL 3.0 without breaking the website.

We also had a problem with RDP once the old TLS and SSL 3.0 were disabled but that issue is resolved and I can use RDP again to connect to the server.

We are so close.  The server people opened a case with Microsoft, who determined that, without SSL 3.0, my connection string in classic asp is not working to SQL Server 2012 Exptress.  I do not know why!

Here's a sample of how I connect, which was determind by Microsoft's testing as the problem:

Set conn = Server.CreateObject("ADODB.Connection")

I found this link (below) about how this happened to other people and how they resolved it but these options are all severe.  I use this connection string throughout my code.

http://www.mytecbits.com/microsoft/sql-server/disabling-tls1-ssl3-affects-sql-server

Did any of you have this problem with your connection string after disabling SSL 3.0?

Thanks,
Alexis

Make sure you are using this for the Provider in the conn.open string

conn.open = "Provider=SQLNCLI11;

and add:

DataTypeCompatibility=80;

Should look something like this:

Set conn = Server.CreateObject("ADODB.Connection")
conn.open = "Provider=SQLNCLI11;Server=YourServerName;User ID=Username;Password=password;Database=databasename;DataTypeCompatibility=80;"

Set your connection string like above and test it.  If it works, then disable SSL 3.0, TLS 1.0 and TLS 1.1 and test again.  If it still does not work then you do not have the correct SQL driver on the database server.

For the life of me I can't understand why MS would not have told you this.

Thank you.  It's been a long few weeks trying to get this working while manually billing all the clients.

The server people told me tonight that they would have Microsoft contact me about this issue but I didn't hear from MS tonight and I don't want to keep dragging this out.  I just want to get it working.

I am going to test this now based on your input.

Thanks,

Alexis

Update: I changed all the connection strings as recommended and tested.  The website worked fine.  We disabled SSL 3.0 and, unfortunately, we got the same connection errors.  Line 90 is when a function in an include file is called to open the connection.

Microsoft SQL Server Native Client 11.0 error '80004005'

Encryption not supported on the client.

/index.asp, line 90

We had to enable SSL 3.0 again.

We have a case opened with MS at this point and I am preparing an email with info on everything.  I just need to get the SQL Server driver info from the server people and then I can send the info to MS.  The server people do not want to change the SQL Server driver or anything else unless MS says to do it.

I will keep you posted.  Thanks again for all your help.

Alexis