Reply
Member
Posts: 3
Registered: ‎08-30-2017

TLS 1.2 migration is failing in test server

[ Edited ]


Hi,

I've updated one of my test servers (centos 6.5) to use only TLS 1.2, the update process went well but is not connecting to your sandbox server I don't get any kind of error message, I can run the same code in my local machine fine( Apache/2.4.18 (Unix) OpenSSL/1.0.2g PHP/5.5.34 mod_perl/2.0.8-dev Perl/v5.16.3 )

I've attached a screenshot from TLS checker tool from symantec and everything looks good. Do you see anything wrong?

 

 

I'm using this endpoint:

https://apitest.authorize.net/xml/v1/request.api

 

  

 

All Star
Posts: 699
Registered: ‎11-03-2016

Re: TLS 1.2 migration is failing in test server

Hi @ciroalvarez1,

 

From the screenshot you've posted, it looks like you're having something analyze what your web server supports for connections made to it. That's probably not at issue here. Since our web server only supports connections made via TLS 1.2, it's the client code that's running on your server (the code that makes the actual connection to us) that has to support TLS 1.2 connections.

 

What version of OpenSSL, PHP, and curl are installed on that test server?

Member
Posts: 3
Registered: ‎08-30-2017

Re: TLS 1.2 migration is failing in test server

Hi Aaron, thanks for your answer, here some details of my server:

 

centOS 6.5

 

OpenSSL:

OpenSSL 1.0.1e-fips

 

PHP:

5.3.3 (cli)

 

curl:

curl 7.19.7 (x86_64-unknown-linux-gnu) libcurl/7.19.7 NSS/3.12.7.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2

 

 

Thanks.

 

 

 

All Star
Posts: 699
Registered: ‎11-03-2016

Re: TLS 1.2 migration is failing in test server

[ Edited ]

Ah, I see. I'd advise updating to newer versions, because those are all old and there are security holes in all of them. However, since this is CentOS, and they backport security fixes to the old versions they distribute, you should be fine there.

 

So, the only remaining question is if these versions support TLS 1.2. It appears that they do, but there's a problem with curl 7.19.7 where even though it supports TLS 1.2, you have to explicitly request a TLS 1.2 connection or it won't make one. See here and here.

 

In whichever part of your code makes the actual curl requests, add a line like this:

curl_setopt ($ch, CURLOPT_SSLVERSION, 6);

That forces TLS 1.2 specifically, so that should be all you need.