cancel
Showing results for 
Search instead for 
Did you mean: 

TLS update with Ruby on Rails + NGINX

Hey folks! Like many of you, I got the "TLS Disablement Notice" forwarded to me from a client. This was a legacy application that I recently took on. It has been quite an adventure getting the server up to date, but I think I am there.

 

I wanted to post here just as a sanity check. If anyone sees anything I might have missed I would very much appreciate you letting me know.

 

I touched nothing in the application code base, I only did updates on the server which is running Ubuntu 14.x along with NGINX + Passenger.

 

Here is the Ruby code/api call: https://gist.github.com/marklocklear/9ec25b2721f4356a2ab35e02207dfe28. Again, I made no changes to this as there does not seem to be any reference to security protocols or versions.

 

On the server, I have updated on server/systems packages (apt-get + apt-update). On the webserver I updated the nginx.conf with: https://gist.github.com/marklocklear/303f5621e6bd05b3eca42a31564a6f06. Note the ssl_protocols section that includes TLS 1.2. Do I even need the references to 1.0 and 1.1 here anymore?

 

I have successfully tested against the sandbox server in my dev environment (localhost) so I know the code base is good, but wanted to share my server side settings with you all in case I have missed something.

 

Any/all comments welcome, thanks for looking.

marklocklear
Member
1 ACCEPTED SOLUTION

Accepted Solutions

I have taken a look at the client request for - CreateTransaction one and looks good.  For the server side, until the final notice from authorize.net, i would recommend to have the TLS 1.0 and 1.1 be there on the server side. 

View solution in original post

bhav
Authorize.Net Expert Authorize.Net Expert
Authorize.Net Expert
4 REPLIES 4

I have taken a look at the client request for - CreateTransaction one and looks good.  For the server side, until the final notice from authorize.net, i would recommend to have the TLS 1.0 and 1.1 be there on the server side. 

bhav
Authorize.Net Expert Authorize.Net Expert
Authorize.Net Expert

Awesome. Thanks for the quick response!

Related to Ruby on Rails and TLS...we're connectd to auth.net via the ruby on rails gem authorizenet V1.9.3. Anyone know if the endpoints embedded in that gem are compatible with TLS 1.2?

 

Very concerned about this Disablement. We didn't go down on Jan 30th but not sure if we're in the clear (or screwed) for the Feb 8th test and beyond. Can anyone at authorize.net confirm if this ruby gem is adequate to continue processing once you make the switch over?

 

thanks if anyone has any insight.

 

 

jlkive
Member

I have the same question, but I'm running Apache 2 with a legacy app -- my tests are passing when calling the sandbox from my development machine but the production machine failed the Feb 8 temporary disablement. Does that mean it is a server configuration problem or should I upgrade to the 1.9.3 gem? Or is it an underlying Ruby library and if so which one(s) should I check? Thanks for any help on this.