cancel
Showing results for 
Search instead for 
Did you mean: 

TLS 1.2 test - PHP CURL error 1407742E when submitting request to sandbox

Hi,

 

I'm getting a PHP CURL error when submitting a test transaction to my sandbox account at https://test.authorize.net/gateway/transact.dll. The error is:

 

1407742E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert protocol version

 

Does this mean that the version of CURL on the server is not configured to work properly with TLS 1.2? From what I can tell from the PHP Info, the CURL version is 7.36.0 and SSL Version is OpenSSL/0.9.8. PHP version is 5.4.32.

 

Test code looks like below:

 

<?php

$url = 'https://test.authorize.net/gateway/transact.dll';

$ch = curl_init( $url );
curl_setopt( $ch, CURLOPT_POST, true);
curl_setopt( $ch, CURLOPT_POSTFIELDS, $vPostData);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt( $ch, CURLOPT_VERBOSE, true);
$response = curl_exec( $ch );
if ($response === false) {
echo "curl_exec failed<br />";
trigger_error(curl_error($ch));
} else {
echo "response: " . $response;
}
curl_close($ch);

?>

 

Thanks!

jsargent3840
Member
1 ACCEPTED SOLUTION

Accepted Solutions

OpenSSL 0.9.8 does not support TLS 1.2. Painting with a broad brush, TLS 1.2 first appeared in OpenSSL 1.0.1.

Powered by NexWebSites.com -
Certified Authorize.net developers

View solution in original post

NexusSoftware
Trusted Contributor
3 REPLIES 3

OpenSSL 0.9.8 does not support TLS 1.2. Painting with a broad brush, TLS 1.2 first appeared in OpenSSL 1.0.1.

Powered by NexWebSites.com -
Certified Authorize.net developers
NexusSoftware
Trusted Contributor

Thank you for the information. It would appear we have no PHP solutions that work on the server we are working with. Unfortunately the site is on a hosted server so we are unable to install updates. However, I did discover a sample ASP script that seems to work so we will go with that.

While it seems like you've found a solution, think seriously about whether you want to continue giving business to a hosting provider who thinks so little of security that they'd force you into a set of software that old. There's been many security holes found in just PHP alone since then.

 

There's no way a solution built on top of that provider's PHP installation is going to be PCI compliant, and I'd suspect the same is true about anything using ASP on that provider as well.