03-11-2014 08:42 AM - edited 03-11-2014 08:43 AM
Just adding to the list, I'm also having Relay Response failures with a SHA-2 Cert created by GoDaddy. Seeing if I can downgrade it to SHA-1 for now...
03-14-2014 01:47 PM
Aha. I'm glad to have stumbled across this post.
We were hit by this recently when updating our expiring SSL certificate. The thing that is odd is that some of the charges/relay responses go through correctly, somewhere around 3-5%. That doesn't make any sense to me unless there is a round-robin-type server that has one correctly configured server, and other broken ones.
I'll check if I can get an SHA1 certificate issued, but I think at minimum you should put it in your FAQ that your servers dont' work with current SSL certificates, and to recommend finding a provider that will issue the older style, if such places exist.
What is the ETA for applying the published hotfix for this problem?
03-14-2014 02:06 PM
My ssl provider no longer issues SHA1 certificates except for 1 year, 1 domain certificates, which that isn't what I'm using.
Apparently, they also automatically publish revocation lists so my old certificate might not work for everyone, though it appears that it is okay.
Note that Microsoft says SHA1 certificates aren't secure, and people shouldn't be using them.
Please update your systems as soon as you can, as we'll have to use manual credit card entering/verification until you do.
03-14-2014 02:10 PM
Here is someone who has spent some time on the phone with authorize.net, which is where I was headed next, but it sounds like it didn't get anywhere.
If I turn off SSL on the relay response, are there security issues there? Hackers would have to be able to guess the correct transaction ids to be able to post information to that URL, and they are all one-time use ids, right? So, even if a hacker sniffed the connection, he couldn't do anything bad? Is that a reasonable solution?
03-17-2014 02:31 PM
Email customer support tells me that turning off SSL for the relay response request is a perfectly fine solution.
Developers are "actively working on a fix", so hopefully, they'll post here once they've applied the hotfix from microsoft.
03-20-2014 01:41 PM
I've confirmed that authorize.net reports a "script timed out" issue when there are SSL parsing problems. It would be nice if that error message could be changed - if you search on these forums for "script timed out" you will find self-signed certificate errors, namevirtualhost configuration issues, etc. It would save a lot of frustration and support time if the error "script timed out" only happened after a time out.
I noticed that the "script timed out" error happens immediately when there is a SSL certificate issue.
I've gotten zencart to not send an ssl URL in the x_relay_URL but zencart uses a 302 response in their default relay_URL, which goes to an SSL encrypted page, so authorize.net still barfs on it.
One good way to prove that it is authorize.net's fault is by turning off the on-site credit card processing - the credit card is then charged by authorize.net, but the redirect back to the site fails instantly because it can't parse the SSL certificate.
I'm going to look into hacking zencart's code into not using SSL on the response, but I don't think there is going to be a secure way to do that, because if the credit card validation fails, we'll end up with a non-ssl page to type in the credit card number on, and I don't know if I can hack zencart into being smart enough to redirect correctly.
It would be really nice to have authorize update their servers (and its sort of scary that they don't keep their microsoft servers up-to-date - surely there have been security issues in the last 9 months that weren't applied to these servers?)
03-20-2014 02:35 PM
A solution for the SHA2 certificate issue is currently moving through our rigorous QA process. I'll post an update when it releases to the sandbox and production.
03-20-2014 02:42 PM
Great - glad to get a response. Do you have any sort of guess about the timeline - like a couple days, a couple weeks, a couple months?
03-20-2014 03:12 PM - edited 03-20-2014 03:12 PM
... Coming Soon :smileyhappy:
It will not be months, but I don't have better information than that.