cancel
Showing results for 
Search instead for 
Did you mean: 

TLS 1.2 Issue - in Classic ASP environment

I manage a few sites that still use Classic ASP.

The method of connection is via a MSXML2 component pointing to https://secure.authorize.net/gateway/transact.dll

Is there a simple change i can make in this code somewhere (see below), to test via the sandbox, and see if the server is TLS 1.2 compliant?

 

Thanks!

 

[code]

set objHttp = server.Createobject("MSXML2.ServerXMLHTTP")
if err.number <> 0 then
    Response.write(err.Description)
    response.End()
end if
'on error goto 0

objHttp.open "POST", strPost, false
objHttp.Send strRequest

'Get response
objHttpStatus = objHttp.status
strResponse   = objHttp.responseText
set objHttp      = nothing

[/code]

snooper
Member
71 REPLIES 71

 

 Hi everyone,

I have been following this thread since 3/1/18 when payments on an asp.classic website I created for my client over 11 years ago stopped working.  I have been trying to resolve the issue since then.  I do not manage the server so I am working with the server manager.

 

Due to power issues on the east coast of the US, we got delayed with the fix.  We fortunately have a manual workaround to continue billing but it is cumbersome and we really need to resolve this issue.

 

The backend database is SQL Server 2012 Express on Windows Server 2012.

 

Based on the helpful comments in this thread, the server manager followed steps to enable TLS 1.2 and explained what she did as follows:

-------------------------------------

We ran the link you email us for tls 1.2 (see below).  All ran OK.  We then checked the 2 registry setting that were added per your article to note.

 

Details.

Your link  “Here’s a link from Microsoft about server changes to enable TLS 1.2:

https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-s...

 

 

Per article, downloaded and checked registry setting as outlined in the article.

“Easy fix

To add the DefaultSecureProtocols registry subkey automatically, click the Download button. In the File Download dialog box, click Run or Open, and then follow the steps in the easy fix wizard.

Notes

  • This wizard may be in English only. However, the automatic fix also works for other language versions of Windows.
  • If you are not on the computer that has the problem, save the easy fix solution to a flash drive or a CD and then run it on the computer that has the problem.

Download


Note In addition to the DefaultSecureProtocols registry subkey, the Easy fix also adds the SecureProtocols at the following location to help enable TLS 1.1 and 1.2 for Internet Explorer.

The SecureProtocols registry entry that has value 0xA80 for enabling TLS 1.1 and 1.2 will be added in the following paths:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings”

------------------------------------------

Unfortunately, after the above changes were made on the server, my tests indicate the problem is still not resolved.  All the tests explained in this thread still show TLS "Bad" and that TLS 1.0 is used, not 1.2.    When I evaluate the security on the website on the link provided, I now see TLS 1.2 is enabled but TLS 1.0 and 1.1 are still enabled. 

 

Should TLS 1.0 and 1.1 be disabled?  If so, how can that be accomplished?

 

Here is the simple code I use to connect to authorize.net.  I changed identifying codes to xxxx.

-------------

function process_card()

Dim x_version, x_delim_data, x_relay_response

Dim x_amount, x_card_num, x_exp_date, x_type

Dim x_first_name, x_last_name, x_company, x_address

Dim x_city, x_state, x_zip, x_phone, x_fax, x_card_code, x_email, x_email_customer

 

x_version = "3.1" 

x_delim_data = "TRUE"

x_delim_char = "|"

x_relay_response = "False"       

Const x_login = "xxxx"

Const x_tran_key = "xxxx"

x_exp_date = ""  ' MMYYYY

x_type = "AUTH_CAPTURE"

x_email_customer = "FALSE"

x_description = "XX Monthly Charge"

x_amount = total_charge 

 

if x_amount = 0 then

  return_code = "Amount is zero in process_card"

  process_card = false

  exit function

end if

 

x_email = email_address

x_card_num = sr_decode(unescape(ccnum))

x_first_name = unescape(fname)

x_last_name = unescape(lname)

x_company = unescape(company_name)

x_address = unescape(address1and2)

x_city = unescape(city)

x_state = unescape(state)

x_zip = zip

x_phone = client_phone

x_fax = fax

x_card_code = ""  'not using cvc

x_invoice_num = mytollfreenumber & "_" & today_string_for_invoice

x_cust_id = client_id

x_country = "US"

x_ship_to_country = "US"   '' not using these now

 

credit_card_cvc_num      = ""

credit_card_expire_month = ccmonexp

credit_card_expire_year  = ccyearexp

if Len(credit_card_expire_month) = 1 then

  credit_card_expire_month = "0" & credit_card_expire_month

end if

x_exp_date = credit_card_expire_month & credit_card_expire_year

 

dim vPostData

vPostData = "x_login=" & x_login & "&x_tran_key=" & x_tran_key & "&x_version=" & x_version &_

"&x_delim_data=" & x_delim_data & "&x_delim_char=" & x_delim_char & "&x_relay_response=" & x_relay_response &_

"&x_type=" & x_type & "&x_card_num=" & x_card_num & "&x_exp_date=" & x_exp_date & "&x_card_code=" & x_card_code &_

"&x_amount=" & x_amount & "&x_first_name=" & x_first_name & "&x_last_name=" & x_last_name &_

"&x_company=" & x_company &"&x_address=" & x_address & "&x_city=" & x_city & "&x_state=" &_

x_state &"&x_zip=" & x_zip & "&x_email_customer=" & x_email_customer & "&x_email=" & x_email &_

"&x_phone=" & x_phone & "&x_fax=" & x_fax & "&x_description=" & x_description &_

"&x_recurring_billing=" & "NO" &_

"&x_ship_to_first_name=" & x_first_name & "&x_ship_to_last_name=" & x_last_name &_

"&x_ship_to_company=" & x_company & "&x_ship_to_address=" & x_address &_

"&x_ship_to_city=" & x_city & "&x_ship_to_state=" & x_state & "&x_ship_to_zip=" & x_zip &_

"&x_invoice_num=" & x_invoice_num & "&x_cust_id=" & x_cust_id

 

  Dim xml

  Dim strStatus

  Dim strRetval

  Set xml = Createobject("MSXML2.ServerXMLHTTP")

  xml.open "POST", "https://secure.authorize.net/gateway/transact.dll", false

  xml.send vPostData

  strStatus = xml.Status

  strRetval = xml.responseText

  Set xml = nothing

 

  Dim strArrayVal

  strArrayVal = split(strRetVal, "|", -1)

  arrData = strArrayVal

 

if arrData(0) = 1 then

  return_code = arrData(3)

  process_card = true

  fxn_cc_tran_id = arrData(6)

else

  return_code = arrData(3)

  process_card = false

end if

 

end function

-------------

 

I would appreciate any help.  This has been a very frustrating situation.

 

Thanks,
Alexis

 

 

alexisb2000
Contributor

Have your host validate that both of these keys are created with the value of 0x00000800:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DefaultSecureProtocols
 
Value: 0x00000800
 

On x64-based computers, DefaultSecureProtocols must also be added to the Wow6432Node path:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DefaultSecureProtocols
 
Value: 0x00000800
 
 
After the above keys are validated and the server has been rebooted, save and run this script:
 
<%
Set objHttp = Server.CreateObject("MSXML2.ServerXMLHTTP.6.0")
objHttp.open "GET", "https://howsmyssl.com/a/check", False
objHttp.Send
Response.Write objHttp.responseText & "<br>"
Set objHttp = Nothing
%>
 
You should get a response that has  "tls_version":"TLS 1.2","rating":"Probably Okay"} 
 
For now I would leave TLS 1.0 and 1.1 enabled until you get past the current problem.  Having them enabled just allows your webserver to use them.  If your server is setup properly it will default to TLS 1.2 and will successfully connect to Authorize.net and complete a transaction.

- you go into detail about doing the Easy Fix, but what exactly did the Host do to actually enable TLS 1.2?  The Easy Fix (modifying those 2 registry keys) only tells your server what level to default to.  But my host had to first enable 1.2 (and because Authorize.net told me to do so, disable TLS 1.0 and 1.1).  They used IISCrypto.exe to do that, but they did it--not me.  So I don't know the full details.  I know that if I Remote Desktop in to the server (our is a VPS server), I can see that they installed IISCrypto and have a shortcut to it on the desktop.  If I run it, I can see all the different Protocols available, and only TLS 1.2 is checked--all others are unchecked.

 

I also was able to verify that they did it right by going to either of these two websites and entering the domain name of my website:  http://ssl-checker.online-domain-tools.com/ or https://www.ssllabs.com/ssltest/.  In both cases, the resulting report shows that TLS 1.2 is supported, and TLS 1.1, TLS 1.0, SSL 3 and SSL 2 are all not supported, which is what I wanted.

 

So use one of those (I think the second link gives a report that's a little easier to read) to make sure your server is indeed supporting 1.2.

 

Also, I will say that while your code and mine is almost identical, down to us choosing the same variable names, my code uses this line:

   Set xml = Server.CreateObject("MSXML2.ServerXMLHTTP.6.0")

instead of what you had (without the .6.0).  But I have a feeling both would work, but once you know your TLS level is correct, if things still don't work, you might try swapping out that line.

 

I sure hope you get back up and running (or already have).

 

Tom

 

Thank you so much for your replies.  I didn't realize until just now that you had responded.  I assumed I would receive a email notice from the forum but I did not (I even checked spam) but I should have kept checking the forum.  I apologize for not taking advantage of your advice sooner.  We are still struggling with manual billing and boy is it a struggle!


I will talk to the server administrator asap with your comments and suggestions.


Thanks,

Alexis

HI Tom,

I also wanted to reply to your point about the "set xml" line.  After initially reading this thread, I had already tried adding the 6.0 but it didn't work.  I just tested again after the server people made their changes, and I am still getting the same error message. (Again, I changed our identifying data to xxxx below.)

 

<%

'test_tls_030418.asp  3/4/18

'Const x_login = "xxxx"

'Const x_tran_key = "xxxx"

 

Dim xml, strStatus, strRetval

On Error Goto 0

Set xml = Server.CreateObject("MSXML2.ServerXMLHTTP.6.0")

xml.open "POST", "https://secure.authorize.net/gateway/transact.dll?x_login=xxxx&x_tran_key=xxxx&x_delim_data=true&x_d...", false

xml.send ""

strStatus = xml.Status

strRetval = xml.responseText

Response.Write "here="

Response.Write xml.responseText

Response.End

%>

 

Error message I get when running this code:

msxml6.dll error '80072f7d'

 

An error occurred in the secure channel support

 

/test_tls_030418.asp, line 11

 

Thanks again,

Alexis

Our server manager made the changes based on your posts as follows:

--------------------------------------

Once we updated to TLS 1.2 , the HKEY values were automatically set to xa00 which means that the server can function via TLS version 1.1 and 1.2.

The scan of the server shows that it is enabled for all tls versions.
Based on my understanding of your previous requirement for tls 1.2 what we have should be fine.

However since you are having problems with authorize.net, we have changed the registry setting to x800 (tls 1.2 only).  I have rebooted the server so please retry.

------------------------------------------

 

After they were done, I tested the following code on our server:

<%
'test_tls_031518B.asp  3/15/18

Set objHttp = Server.CreateObject("MSXML2.ServerXMLHTTP.6.0")
objHttp.open "GET", "https://howsmyssl.com/a/check", False
objHttp.Send
Response.Write objHttp.responseText & "<br>"
Set objHttp = Nothing
%>

 

But I still get the same "bad" error as before.

{"given_cipher_suites":["TLS_RSA_WITH_AES_128_CBC_SHA","TLS_RSA_WITH_AES_256_CBC_SHA","TLS_RSA_WITH_RC4_128_SHA","TLS_RSA_WITH_3DES_EDE_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA","TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA","TLS_DHE_DSS_WITH_AES_128_CBC_SHA","TLS_DHE_DSS_WITH_AES_256_CBC_SHA","TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA","TLS_RSA_WITH_RC4_128_MD5"],"ephemeral_keys_supported":true,"session_ticket_supported":true,"tls_compression_supported":false,"unknown_cipher_suite_supported":false,"beast_vuln":false,"able_to_detect_n_minus_one_splitting":true,"insecure_cipher_suites":{"TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA":["uses 3DES which is vulnerable to the Sweet32 attack but was not configured as a fallback in the ciphersuite order"],"TLS_RSA_WITH_3DES_EDE_CBC_SHA":["uses 3DES which is vulnerable to the Sweet32 attack but was not configured as a fallback in the ciphersuite order"],"TLS_RSA_WITH_RC4_128_MD5":["uses RC4 which has insecure biases in its output"],"TLS_RSA_WITH_RC4_128_SHA":["uses RC4 which has insecure biases in its output"]},"tls_version":"TLS 1.0","rating":"Bad"}

 

I am not familiar with servers so I am just relaying your suggestions to the server people to make the changes and then relaying their responses back. I'm not sure what else to do.  I really want to get this working as our payment processing has been down since 3/1.

 

Thanks in advance for any help you can offer.

 

Alexis

Hi.  I was hoping to get some more help.  I know you are all busy but we are still trying to get our website's connection to authorize.net working.

 

Currently the server people have installed iiscrypto.exe and finally we were able to see the correct SSL settings on the SSL check; "No" to everything except for TLS 1.2. 

 

Unfortunately, though, this change broke the website.  The server people re-enabled SSL 3.0 and the website worked again, however, we still can't connect to authorize.net with SSL 3.0 enabled and showing "Yes" on the SSL settings test.  So now the SSL settings test shows "No" to everything except TLS 1.2 and SSL 3.0.  We need to find a way to disable SSL 3.0 without breaking the website.

 

We also had a problem with RDP once the old TLS and SSL 3.0 were disabled but that issue is resolved and I can use RDP again to connect to the server.

 

We are so close.  The server people opened a case with Microsoft, who determined that, without SSL 3.0, my connection string in classic asp is not working to SQL Server 2012 Exptress.  I do not know why!

 

Here's a sample of how I connect, which was determind by Microsoft's testing as the problem:

Set conn = Server.CreateObject("ADODB.Connection")

 

I found this link (below) about how this happened to other people and how they resolved it but these options are all severe.  I use this connection string throughout my code.

 

http://www.mytecbits.com/microsoft/sql-server/disabling-tls1-ssl3-affects-sql-server

 

Did any of you have this problem with your connection string after disabling SSL 3.0?

 

Thanks,
Alexis

 

Make sure you are using this for the Provider in the conn.open string

 

conn.open = "Provider=SQLNCLI11;

 

and add:

 

DataTypeCompatibility=80;

 

Should look something like this:

 

Set conn = Server.CreateObject("ADODB.Connection")
conn.open = "Provider=SQLNCLI11;Server=YourServerName;User ID=Username;Password=password;Database=databasename;DataTypeCompatibility=80;"

 

Set your connection string like above and test it.  If it works, then disable SSL 3.0, TLS 1.0 and TLS 1.1 and test again.  If it still does not work then you do not have the correct SQL driver on the database server.

 

For the life of me I can't understand why MS would not have told you this.

Thank you.  It's been a long few weeks trying to get this working while manually billing all the clients.

 

The server people told me tonight that they would have Microsoft contact me about this issue but I didn't hear from MS tonight and I don't want to keep dragging this out.  I just want to get it working.

 

I am going to test this now based on your input.

 

Thanks,

Alexis

Update: I changed all the connection strings as recommended and tested.  The website worked fine.  We disabled SSL 3.0 and, unfortunately, we got the same connection errors.  Line 90 is when a function in an include file is called to open the connection.

 

Microsoft SQL Server Native Client 11.0 error '80004005'

Encryption not supported on the client.

/index.asp, line 90

 

We had to enable SSL 3.0 again.

 

We have a case opened with MS at this point and I am preparing an email with info on everything.  I just need to get the SQL Server driver info from the server people and then I can send the info to MS.  The server people do not want to change the SQL Server driver or anything else unless MS says to do it.

 

I will keep you posted.  Thanks again for all your help.

Alexis