developer.authorize.net developer.cybersource.com
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a question

Request for Comments: API Best Practices

We just posted a draft of our upcoming API Best Practices Guide.

Please post your feedback below. Thanks!

--
"Move fast and break things," out. "Move carefully and fix what you break," in.
1 person had this problem.
Lilith
Administrator Administrator
Administrator

‎01-29-2016 10:43 AM - edited ‎01-29-2016 10:51 AM

26 REPLIES 26

For example, in .NET 4.5, TLS 1.2 is enabled by default. Upgrading to .NET 4.5 should provide your solution with support for TLS 1.2.

 

That enables it in the platform, but you still need to interact with System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls | SecurityProtocolType.Tls11 | SecurityProtocolType.Tls12; to enable the use of TLS 1.2 (while keeping TLS 1.0 for other services you may contact that are not yet enabled for modern TLS) on outbound connections, somewhere in your application startup. By default, an HttpWebRequest or WCF client will use only SSL 3.0 and TLS 1.0 for outbound connections. (Inbound connections to your Windows server are controlled by registry settings which are easily managed by a tool called IIS Crypto and are independent of the .NET Framework version.) 

 

http://stackoverflow.com/a/29221917/32187

 

If you're unable to make code changes to your application to change the flags passed into SecurityProtocol, you can force all .NET applications on the machine to use TLS 1.2, 1.1, and 1.0 if available by setting a different registry setting.

 

http://stackoverflow.com/a/28502562/32187 and http://stackoverflow.com/a/34009938/32187

 

Hope this helps someone.

npiasecki
Regular Contributor

‎01-30-2016 06:25 AM

npiasecki: I was about to post the same thing, nice post.  

 

The Best Practices article should be updated to remove this inaccurate text and say something of the following instead "In .NET 4.5, TLS 1.2 is supported, but NOT enabled by default.  You must set the SecurityProtocolType to enable TLS 1.2.

 

This is going to be a MAJOR issue come 2017 when Authorize.net disables TLS 1.0 and TLS 1.1 for probably 99% of .NET apps.

 

I can personally verify this is an issue since we've run into this exact same problem in a non authorize.net connection and you have to set the flags.  Here is another SO article to support:

 

http://stackoverflow.com/questions/28286086/default-securityprotocol-in-net-4-5

 

 

mikeada
Member
In response to npiasecki

‎02-18-2016 01:44 PM

@npiasecki @mikeada Thank you both for your feedback, and for the excellent point.

When that particular clause was added, it was because there was concern that the API Best Practices was very abstract, and it was hoped that adding that clause about .NET 4.5 would help provide a concrete example useful for developers. But your point is very valid, and we'll take that into consideration when making updates, prior to the final version.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.
Lilith
Administrator Administrator
Administrator
In response to mikeada

‎02-22-2016 10:40 AM

0 Kudos

I've updated practice #3 with these specifics:

Note that you may need to make code changes to enable security features of the new security patches. For example, in .NET 4.5, TLS 1.2 is available by default. Upgrading to .NET 4.5, and adding “SecurityProtocolType.Tls12” to the System.Net.ServicePointManager.SecurityProtocol property, should provide your solution with support for TLS 1.2. Please consult your platform and framework documentation for more details. 

 

Thanks again for the feedback--and please let us know if you have any more comments or suggestions.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.
Lilith
Administrator Administrator
Administrator
In response to Lilith

‎02-24-2016 01:21 PM

0 Kudos

Much better, thank you, that will hopefully save a lot of people some headaches.  It's not a well documented problem and Microsoft should probably make it the default IMHO.

mikeada
Member
In response to Lilith

‎03-01-2016 11:39 AM

0 Kudos

Dear,

I'm following this security update for our Authorize.Net integration, we're using ASP Classic to submit the service post_url = https://secure2.authorize.net/gateway/transact.dll as below:

                   Set objRequest = Server.CreateObject("MSXML2.ServerXMLHTTP")
                   objRequest.open "POST", post_url, false
                   objRequest.send post_string

I'm not clear too much about #3, #4, #5 in this article:

#3: Our OS is Window 2012 R2 , when we try to submit to Authorize test environment then it works

https://test.authorize.net/gateway/transact.dll

So do we need specify the security protocol like .Net in ASP? 

System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12 , if so can you provide the option in ASP?

#4: Our checkout feature process payment as above post, with type are CAPTURE_ONLY, CREDIT and VOID payment, that is called our production environment handles payment data? and do we need a DMZ?

#5: "Specifically, you must not count HTTP header lines to determine where the API response begins, as HTTP headers are subject to change without prior notice."-> sorry I'm not clear this too, with our above progress, what we need to update?

Thank you!

vantamvtf
Member

‎03-25-2016 09:00 PM

0 Kudos

Before I respond, I should make clear this is an API Best Practices document, not an API Requirements doc. While there are strong statements in this document, emphasized by "must" and "must not," it does not presume to cover every situation, and there may be situations when your solution cannot perfectly adhere to these practices.

Regarding your first question re: Practice #3 -- I'll need to do more research into this, as I am not an expert at ASP Classic. But I am somewhat dubious that ASP Classic allows for support of TLS 1.1 or TLS 1.2. Do any forum readers have better information at hand?

Please note that test.authorize.net currently accepts TLS 1.0, 1.1, and 1.2 connections, which means your solution could be using TLS 1.0. We are discussing when to disable TLS 1.0 in Sandbox and will have an announcement date at a later time.

Re: Practice #4 -- DMZs are required if you are handling payment information and storing it, whether in a temporary variable or a permanent database record. They're recommended if you're storing personally identifying information such as people's names, addresses, email addresses, phone numbers, etc. If you aren't storing any such information, there's no need for you to have a DMZ.

Re: Practice #5 -- Some create their own HTTP parsers in the code and make assumptions about how long, or how large, our HTTP headers are. If we make changes to the HTTP headers, their solutions break. If you are using a parser that's baked into your coding framework, there's a good chance that it properly handles headers by looking for the newline. And in that case, you don't have to do a thing differently.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.
Lilith
Administrator Administrator
Administrator
In response to vantamvtf

‎03-29-2016 08:45 AM - edited ‎03-29-2016 08:55 AM

Dear, thank you a lot for your response, it's helpful for me, our system is already enabled TLS1.2 and disabled early TLS.

vantamvtf
Member
In response to Lilith

‎03-30-2016 02:33 AM

0 Kudos

I think our solution satisfies the TLS 1.2 and cipher requirements.

Operative word here is "think". It is a little scary that we don't know for sure.

Is there a test url we can try a simple post-response to make sure our solution satisfies the new cipher requirements before they go live?

 

Thank you for your attention,

Eric

 

ericwnyc
Member

‎03-30-2016 11:33 AM

0 Kudos
Copyright © 2024 Khoros, LLC