Reply
Member
Posts: 1
Registered: ‎10-30-2014

Need a sanity check for PHP / cURL solution (b/c of POODLE)

Since the sandbox (https://test.authorize.net/gateway/transact.dll) now has SSLv3 disabled, I figured it was a good time to test against it, to ensure we're ready for Nov 4.

We're using homegrown PHP/cURL solution since this was written before the SDK existed.

Test 1: simply direct a test version of our payment code to the sandbox, of course using sandbox credentials.
- success!  

Test 2: add a cURL directive forcing TLS, just in case: curl_setopt($ch, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
- success!

Wait, can it be that easy?  We're using an old version of cURL (7.15.x) that I wasn't even aware it supported TLS!

Can you fine folks give me a sanity check?  Since SSLv3 is already disabled in the sandbox, if I'm successfully able to connect and process there, then I should be set for Nov 4, correct? (Obviously, assuming all else remains constant...)

Thanks!

Posts: 321
Topics: 5
Kudos: 36
Blog Posts: 5
Ideas: 0
Solutions: 26
Registered: ‎11-09-2011

Re: Need a sanity check for PHP / cURL solution (b/c of POODLE)

I think you're right on track. If you can connect to Sandbox, then your setup is favoring TLS, possibly forcing TLS outright.

Do bear in mind that libcurl, the programming library for accessing cURL, can be compiled to use a number of security libraries, including OpenSSL, SChannel, and others. Despite the age of your installation of cURL, it could be using a more up-to-date security library.

A list of all the possible programming libraries for libcurl may be found here: http://curl.haxx.se/docs/ssl-compared.html

 

If you run the command curl -V it should tell you which security libraries it's using.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.