cancel
Showing results forย 
Search instead forย 
Did you mean:ย 

POODLE Internet Security Issue

RichardH
Administrator Administrator
Administrator
37 REPLIES 37

Sounds pretty similary.  Are you running ColdFusion too?

Testing in Fiddler, I get "No proxy-authenticate header is present" and "no www-authenticate header is present".  We've been using this code for years, so some requirement may have changed.  Is there a specific proxyserver I should be specifying in my request?

Yes, we are also using CF5 Enterprise Ed on a Win203 Server Enterprise Ed. We upgraded from 2000 Server when we began having this problem on the 4th to get TLS1.0 support. Though, after some other testing on another 2000 Server SSL site it appears it already had TLS1.0 support??
We disabled SSLv2 and v3 in the registry so it can only use the TLS1.0 but since we are still getting this UNKNOWN ERROR on the AIM transaction we are beginning to think it has to be that CF5 forces SSLv3 rather than the server default when doing a CFHTTP post to the AuthNet gateway.  I don't mind sharing report or code. We have several custom order apps that use our AIM and CF5 solution and all are getting this same UNKNOWN ERROR.
https://www.ssllabs.com/ssltest/analyze.html?d=shop.vs2000.net&hideResults=on provides more info than the POODLESCAN.COM site report.
As for code... I will put it in the next message. Not Rocket science so I'm not too worried about other users "Stealing" my code. It may help them write better CF apps for AIM...

 

- Michael

webspinners
Member

Thanks.  I don't think Server 2003 is the problem - we've been using 2003 R2 for years and never had this problem.  I'm leaning towards the same conclusion - that CF5 forces SSL v3.  Still testing more...

The UNKNOWN ERROR does come from our code when it gets a response from AuthNet that is other than 1,2,3,4...see near the bottom of this code. 
We do a secure post to this page AuthNetAim.cfm which then posts and gets info from AuthNet and displays a THANKS or Error info and then process further approved orders.

Thanks in advance ALL for any help. I see I am not the only one using a CF5/Win2000/2003 AIM code.

-Michael
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

 


<!--- Value returned from Authnet are comma delimited by default, it is necessary to strip any commas in the submission --->
<cfset Delimiter=",">

<CFHTTP METHOD="POST"
URL="https://secure.authorize.net/gateway/transact.dll"
RESOLVEURL="YES">

<cfhttpparam type="FORMFIELD" name="x_Test_Request" value="False">
<cfhttpparam type="FORMFIELD" name="x_Email_Customer" value="true">
<cfhttpparam type="FORMFIELD" name="x_Email_Merchant" value="true">
<cfhttpparam type="FORMFIELD" name="x_Relay_Response" value="false">
<cfhttpparam type="FORMFIELD" name="x_Delim_Data" value="true">
<cfhttpparam type="FORMFIELD" name="x_Delim_Char" value=",">
<cfhttpparam type="FORMFIELD" name="x_login" value="#AuthNetLogin#">
<cfhttpparam type="FORMFIELD" name="x_tran_key" value="#AuthnetTransactionKey#">
<cfhttpparam type="FORMFIELD" name="x_version" value="3.1">
<cfhttpparam type="FORMFIELD" name="x_type" value="Auth_Capture">
<cfhttpparam type="FORMFIELD" name="x_Description" value="#Replace(Form.x_Description,"#Delimiter#","","all")#">
<cfhttpparam type="FORMFIELD" name="x_Invoice_Num" value="#Replace(Form.x_Invoice_Num,"#Delimiter#","","all")#">
<cfhttpparam type="FORMFIELD" name="x_Amount" value="#Replace(Form.x_Amount,"#Delimiter#","","all")#">
<cfhttpparam type="FORMFIELD" name="x_method" value="#Replace(Form.x_method,"#Delimiter#","","all")#">
<cfhttpparam type="FORMFIELD" name="x_card_num" value="#Replace(Form.x_card_num,"#Delimiter#","","all")#">
<cfhttpparam type="FORMFIELD" name="x_exp_date" value="#Replace(Form.x_exp_date,"#Delimiter#","","all")#">
<!--- <cfhttpparam type="FORMFIELD" name="x_bank_aba_code" value="#Replace(Form.x_bank_aba_code,"#Delimiter#","","all")#">
<cfhttpparam type="FORMFIELD" name="x_bank_acct_num" value="#Replace(Form.x_bank_acct_num,"#Delimiter#","","all")#">
<cfhttpparam type="FORMFIELD" name="x_bank_acct_type" value="#Replace(Form.x_bank_acct_type,"#Delimiter#","","all")#">
<cfhttpparam type="FORMFIELD" name="x_bank_name" value="#Replace(Form.x_bank_name,"#Delimiter#","","all")#">
<cfhttpparam type="FORMFIELD" name="x_bank_acct_name" value="#Replace(Form.x_bank_acct_name,"#Delimiter#","","all")#">
<cfhttpparam type="FORMFIELD" name="x_echeck_type" value="Web"> --->
<cfhttpparam type="FORMFIELD" name="x_First_Name" value="#Replace(Form.x_First_Name,"#Delimiter#","","all")#">
<cfhttpparam type="FORMFIELD" name="x_Last_Name" value="#Replace(Form.x_Last_Name,"#Delimiter#","","all")#">
<cfhttpparam type="FORMFIELD" name="x_Address" value="#Replace(Form.x_Address,"#Delimiter#","","all")#">
<cfhttpparam type="FORMFIELD" name="x_City" value="#Replace(Form.x_City,"#Delimiter#","","all")#">
<cfhttpparam type="FORMFIELD" name="x_state" value="#Replace(Form.x_state,"#Delimiter#","","all")#">
<cfhttpparam type="FORMFIELD" name="x_country" value="#Replace(Form.x_country,"#Delimiter#","","all")#">
<cfhttpparam type="FORMFIELD" name="x_Zip" value="#Replace(Form.x_Zip,"#Delimiter#","","all")#">
<cfhttpparam type="FORMFIELD" name="x_Phone" value="#Replace(Form.x_Phone,"#Delimiter#","","all")#">
<cfhttpparam type="FORMFIELD" name="x_Email" value="#Replace(Form.x_Email,"#Delimiter#","","all")#">

</cfhttp>

<cfoutput>
<CFSCRIPT>
/**
 * Fixes a list by replacing null entries.
 * This is a modified version of the ListFix UDF
 * written by Raymond Camden. It is significantly
 * faster when parsing larger strings with nulls.
 *
 * @Param list   The list to parse.
 * @Param delimiter   The delimiter to use. Defaults to a comma.
 * @Param null   Null string to insert. Defaults to "".
 * @return Returns a list.
 * @author Patrick McElhaney (pmcelhaney@amcity.com)
 * @version 2, February 14, 2002
 */
function ListFix(list) {
  var delim = ",";
  var null = "Null";
      
  if(arrayLen(arguments) gt 1) delim = arguments[2];
  if(arrayLen(arguments) gt 2) null = arguments[3];
 
  list = replace(list,"#delim##delim#", "#delim##null##delim#", "ALL");
  list = replace(list,"#delim##delim#", "#delim##null##delim#", "ALL");
 
  if (left(list, 1) eq delim) list = "#null##list#";
  if (right(list, 1) eq delim) list = "#list##null#";
  return list;
}
</CFSCRIPT>

<!--- Auth Net version 3.1 returns 68 fields. Any users fields will be added after that. Fields 40 to 68 are not used
by Auth net but are reserved for future use --->
<cfset TheList=ListFix(CFHTTP.FileContent)>
<cfset TheDelimiter=Delimiter>

<!--- Set a default --->
<cfset ProcessorResponse="UnknownError">
<!--- Convert Response Code --->
<!--- Approved --->
<cfif ListGetAt(TheList,1,TheDelimiter) is "1">
 <cfset ProcessorResponse="Approve">
 <!--- Disapproved --->  
<cfelseif ListGetAt(TheList,1,TheDelimiter) is "2">
   <cfset ProcessorResponse="Decline">
 <cfset DeclineReason=ListGetAt(TheList,4,TheDelimiter)>
   <!--- Error --->
<cfelseif ListGetAt(TheList,1,TheDelimiter) is "3">
    <cfset ProcessorResponse="Error">
 <cfset ErrorCode=ListGetAt(TheList,3,TheDelimiter)>
<cfelse>
 &nbsp;
  
</cfif>
</cfoutput>

<HTML>
<HEAD>
 <title> Secure Invoice</title>
</HEAD>

<body bgcolor="Green" background="bg2.jpg">

  <table width="1000" border="0" align="CENTER" valign="TOP">
<CFOUTPUT>
<!--- Processor Approved --->
<cfif ProcessorResponse is "Approve">
 <H3 ALIGN="CENTER">Thank you for placing your order online.
<br><br>
 
 </H3>
 <h4 align="center">To cancel or change your order you must contact us  </h4>


  <!--- Disapproved --->  
 <cfelseif ProcessorResponse is "Decline">
   <div align="center">The transaction was not approved.<br>
       Reason: #DeclineReason#<br>
 </div>
   <!--- Error --->
 <cfelseif ProcessorResponse is "Error">
    <div align="center">There was an error processing the transaction.(#ErrorCode#)</div>
<cfelse>
 &nbsp;
  Unknown Error
</cfif>     
</cfoutput>
 
 </td>
</tr>
</table>


</BODY>
</HTML>

<cfif ProcessorResponse IS "Approve">
 <cfinclude template="ProcessInvoice.cfm">
</cfif>


 

webspinners
Member

Using wireshark, we discovered our problem was that Authorize.net doesn't send a response back to us after we make a request. We didn't receive a gateway error, but an EOF error. This leads me to believe that TLS 1.0 is being blocked, since at the very least, we'd get a gateway error.

One of my developers has suggested that they are blocking/not supporting TLS1.0 anymore and that is why the connection is closed as if it was SSLv3.  AuthNet does say they plan to disable support for TLS1.0 at some future time. Perhaps they already did and we are really screwed and must upgrade to 2008 or 2012 WinServer to get TLS1.1 or 1.2 support. That would be bad and expensive to change over here.

For the interm we are looking into using SIM to eliminate SSL at all and also using a ASP or PHP file to act as the AIM connector between our CF and Authnet Secure servers. Frankenstein app...but if TLS1.0 is not supported that won't work for AIM on win2003 either!

We're planning on hijacking the call, sending it to a separate server, and sending it that way

The SSLLabs report on secure.authorize.net shows it does support TLS1.0 so it should be working with 2003 server if sslv3 and v2 are disabled on it.

@webspinners Correct, we have not disabled TLS 1.0 yet, and it's not clear when we will.

The comment about TLS 1.0 is forward-looking, and reflects the facts that TLS 1.3 is under development, and that security issues with TLS 1.0 are becoming better-known, so inevitably we'd need to disable TLS 1.0 for the same reasons we disabled SSL v2 and v3. It's not clear when that'd happen, however. While disabling SSLv3 is an option for nearly every solution, TLS 1.0 is the last, strongest security protocol for Windows Server 2003 and 2008, and for any minor version of OpenSSL prior to 1.0.1.


While the nature of POODLE required swift action, we're hoping for a much more gradual process for decommissioning TLS 1.0 when the time comes. In the meantime, I do encourage upgrading to Windows Server 2008 R2/OpenSSL 1.0.1 or greater.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.