Reply
Highlighted
Posts: 2,765
Topics: 57
Kudos: 245
Blog Posts: 67
Registered: ‎12-05-2011

POODLE Internet Security Issue

Posts: 2,765
Topics: 57
Kudos: 245
Blog Posts: 67
Registered: ‎12-05-2011

Re: POODLE Internet Security Issue

[ Edited ]

The planned SSLv3 deprecation is complete. For more info, please visit our FAQs at http://www.authorize.net/support/poodlefaqs/

 

Richard

Posts: 321
Topics: 5
Kudos: 36
Blog Posts: 5
Ideas: 0
Solutions: 26
Registered: ‎11-09-2011

Re: POODLE Internet Security Issue

We have noticed some merchants have applied POODLE fixes asymmetrically.

For example, the server may have SSLv3 disabled, but the code may attempt to force SSLv3 anyway, causing connection issues.

Similar connections issues may occur if you try to force TLS 1.2 without ensuring your server can support TLS 1.2.

As a best practice, we recommend not forcing TLS or SSL in code, and letting the server use its defaults, which typically have the strongest security features. If you must force a security protocol, TLS 1.2 is recommended, but in general you may be able to force TLS without versioning for greater flexibility.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.
Member
Posts: 6
Registered: ‎11-06-2014

Re: POODLE Internet Security Issue

We have updated our server to disable SSLv2 and SSLv3 and only use TLS1.0 but we continue to get a "Unknown Error" when posting transactions via AIM. We have tested the site/server using the Poodlescan and SSLlabs websites and they say we are good.

Can anyone shed some light? We are running Win2003 Server Enterprise Edition with ColdFusion as the programming language.

Posts: 321
Topics: 5
Kudos: 36
Blog Posts: 5
Ideas: 0
Solutions: 26
Registered: ‎11-09-2011

Re: POODLE Internet Security Issue

Which version of ColdFusion does your server use? And are you willing to share the code that connects to our API?

While I await your answer I will research whether there are ways to force ColdFusion to use TLS, or whether there is a specific version that you must use.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.
Posts: 321
Topics: 5
Kudos: 36
Blog Posts: 5
Ideas: 0
Solutions: 26
Registered: ‎11-09-2011

Re: POODLE Internet Security Issue

One other thing: Which ciphers are supported by your server? For that matter, would you be willing to share an SSL Labs report for the server, or an equivalent?

--
"Move fast and break things," out. "Move carefully and fix what you break," in.
jms
Member
Posts: 7
Registered: ‎11-07-2014

Re: POODLE Internet Security Issue

We're having problems as well connecting to secure.authorize.net.  Our site is running on IIS 6.0 with ColdFusion 5.  I've run the SSL labs tool against our server and secure.authorize.net, and  the only difference that I can see is that ours has an SHA2 certificate.  Would that be a problem?  We've been getting a Connection Failure response ever since Nov 4.

Posts: 321
Topics: 5
Kudos: 36
Blog Posts: 5
Ideas: 0
Solutions: 26
Registered: ‎11-09-2011

Re: POODLE Internet Security Issue

SHA2 shouldn't be a factor, but it's entirely possible there is an element in your code that is attempting to use SSLv3. Is your installation pure ColdFusion? Or does it connect to us using something like cURL or Java?

Also, would you be willing to share your SSL Labs report with us?

--
"Move fast and break things," out. "Move carefully and fix what you break," in.
jms
Member
Posts: 7
Registered: ‎11-07-2014

Re: POODLE Internet Security Issue

Pure ColdFusion.

I can share our SSL Labs report.  How would you like me to share it?

 

Member
Posts: 3
Registered: ‎11-07-2014

Re: POODLE Internet Security Issue

We're having issues connecting via TLS 1.0 (even though authorize.net says it will work).  Our ssllabs report is actually better than authorize.net's and it still won't connect.  Could this be the problem in your case?