Page 1 of 1

Authorize.net Security - POODLE

Posted: Wed Oct 29, 2014 3:19 am
by siptec
Does Authorize.net's recent announcement affect OpenCart transactions? I have one project on 1.5.1.3 using Authorize.Net (AIM) payment gateway.

Authorize.net POODLE FAQ

Re: Authorize.net Security - POODLE

Posted: Wed Oct 29, 2014 5:36 am
by henkster
A quick fix (rather than disabling SSLv3 on your server) is to force curl to use TLS instead.

In theory you can just pop this line in under the rest of the curl options (around line 104) in /catalog/controller/payment/authorize_aim.php

Code: Select all

curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
I've not tested this in Authorize.net's sandbox yet, just waiting until later when the site goes quieter.

Re: Authorize.net Security - POODLE

Posted: Wed Oct 29, 2014 9:27 pm
by sparkybarkalot
Any testing results yet?

Re: Authorize.net Security - POODLE

Posted: Wed Oct 29, 2014 9:48 pm
by travist6983
I was curious about this fix as well but i don't think it is working, unless i placed this line incorrectly... Here is what i did

Code: Select all

		curl_setopt($curl, CURLOPT_PORT, 443);
		curl_setopt($curl, CURLOPT_HEADER, 0);
		curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
		curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
		curl_setopt($curl, CURLOPT_FORBID_REUSE, 1);
		curl_setopt($curl, CURLOPT_FRESH_CONNECT, 1);
		curl_setopt($curl, CURLOPT_POST, 1);
		curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 10);
		curl_setopt($curl, CURLOPT_TIMEOUT, 10);
		curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($data, '', '&'));
                curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
I tried to place an order and it failed and then i removed the added line and it went through.

Re: Authorize.net Security - POODLE

Posted: Wed Oct 29, 2014 11:28 pm
by sparkybarkalot
The change suggested here, and which you made, is what authorize.net recommends:

http://community.developer.authorize.ne ... ba-p/48163

I haven't tested this myself, but I'll give it a whirl myself to see what happens and report back

Re: Authorize.net Security - POODLE

Posted: Thu Oct 30, 2014 12:52 am
by bmekwa
We also have couple of clients uses Authorize.net AIM in Opencart. Please post here how you guys fixed this issue, so we also can implement.

Re: Authorize.net Security - POODLE

Posted: Thu Oct 30, 2014 12:15 pm
by henkster
I haven't had the chance to test yet, but the code I posted is for a server where the version of curl is <v7.34.0

If your hosting uses v7.34.0 or later then this may work instead

Code: Select all

curl_setopt($curl_request, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
You can check the version of curl using the phpinfo() function.

Re: Authorize.net Security - POODLE

Posted: Fri Oct 31, 2014 1:59 am
by travist6983
I am not sure why it isnt working for me here but when i try the code for below 7.34.0 it doesnt work for me at all. I am using OpenCart Version 1.5.4

Do i need to remove anything from around 104 to make it work?

Thanks,
T

Re: Authorize.net Security - POODLE

Posted: Sun Nov 02, 2014 9:50 pm
by bmekwa
Hey guys,

I couldnt test this yet since all our client sites are live sites. We have dedicated server with all shopping carts installed with SSL certificate. Some shopping carts we installed and live are bit older authorize.net versions. I could not understand the insights of this issue.

In which situations authorize.net AIM modules will initiate the connection with authize.net api using sslv3. Say we disable poodle attack on server wide. Still this issue can happen and should we add a code in authorize.net module.

I think guys who have detailed knowledge on how authorize.net module initiates the connection api will answer the question in which situations we have to add a fix to inbuild module.

Thank you.

Re: Authorize.net Security - POODLE

Posted: Mon Nov 03, 2014 10:36 pm
by siptec
Added the

Code: Select all

curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
to the authorize_aim.php.

Transaction still works. Need to wait for 11/5 to see if this is actually working.

Did disable SSLv3 on the hosting server. Only time will tell.

Re: Authorize.net Security - POODLE

Posted: Tue Nov 11, 2014 11:49 pm
by websiteworld
You can check how your SSL certificate is signed here as well. I know the domain is odd but it's legit.

https://shaaaaaaaaaaaaa.com/