cancel
Showing results for 
Search instead for 
Did you mean: 

SSL Timeout Connecting to Sandbox

The CIM API is timing out for us.  Is anyone else having this issue or is it just us?

gmarlett
Contributor
74 REPLIES 74

@bbot: I believe there is a directive in httpd.conf, SSLProtocol, where you can force this. As our servers currently support SSL v3 and TLS 1.0, you'd use "SSLProtocol +SSLv3 +TLSv1". The directive is better documented at http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslprotocol so you may want to reference against that. Also, you may want to check your code base in case there is a call to the SSLProtocol directive that supercedes what is in httpd.conf.

@gmarlett: The original plan was to make the same changes in our new Production environment which isn't yet taking API traffic. I'm keeping our management and development teams informed so we can determine the best way to phase this in with minimal impact. Good to hear that upgrading to OpenSSL 1.0.1g fixed the issue in Sandbox.

@lethjakman: I suspect you have a persistent connection to the Transact servers in Sandbox, so you wouldn't see the change until you reconnected.

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

@lethjakman: Which SSL protocols are enabled in httpd.conf currently?

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

Adding:

 

        curl_setopt($curl_request, CURLOPT_SSLVERSION, 3);

 

To line 93 of AuthorizeNetRequest.php in the PHP API fixed the problem.  Thank you for your help.

I quickly tested our production server with the sandbox (it's not really in production yet).  It is using openssl-1.0.1e-16.el6_5.7.x86_64.  It did not have the problem.

@gmarlett: Which protocols are configured on that 1.0.1e setup?

--
"Move fast and break things," out. "Move carefully and fix what you break," in.

I tried changing httpd.conf to foce SSLv3 and TLS 1 but it didn't work.

This is in the ssl.conf file (I want to reiterate that this *is* working with the Sandbox)

 

# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
# enable only secure ciphers:
SSLCipherSuite HIGH:MEDIUM:!ADH
# Use this instead if you want to allow cipher upgrades via SGC facility.
# In this case you also have to use something like
# SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
# see http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html.en#upgradeenc
#SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2

@peter: Which version of OpenSSL are you using? And which ciphers are enabled?
--
"Move fast and break things," out. "Move carefully and fix what you break," in.

I'm currently using nginx with rails. I don't believe I have an httpd.conf. No? Weird thing is...they'd all be running exactly the same one if there were one. I'm just using Phusion Passenger with "passenger start"

Server Type: Apache/2.2.27 (Unix) mod_ssl/2.2.27 OpenSSL/1.0.1e-fips mod_bwlimited/1.4

 

ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP:!kEDH