tags:

views:

433

answers:

2
+2  Q: 

CFHTTP: find out supported version of SSL & test auth.net with SSL 3.0

Hello, recently received email from Authorize.net saying:

During the week of March 16 - 20, 2009, Authorize.Net will be deprecating all legacy support for the SSL 2.0 protocol. Changes have recently been made to the Payment Card Industry Data Security Standard (PCI DSS) which have made the use of SSL 2.0 a PCI DSS violation.

So question is: how to make sure that my ColdFusion apps, using cfhttp to communicate with auth.net service, wont become broken in March?

Trying to find out which versions of SSL supported but can not find such info.

Any suggestions?

EDIT

Found discussions: one & two. Seems that only reliable way is upgrading to CF8.

So, other quesiton now: how to test my code with new auth.net protocol? Any ways to switch dev env before going live?

Also I've sent email to dev support of auth.net with these questions. If they'll provide me with solution -- will post it here.

+1  A: 

Here is a nice article on www.talkingtree.com regarding the matter:

ColdFusion Protocol Tags CFHTTP, CFINVOKE, CFLDAP support SSLv2

It looks like CF8 is the first version to support SSLv3.

You can also get your hands really dirty and make SSLv3 requests directly, using Java. This would of course require changing working code to emulate functionality that would come naturally with CF8. But if upgrading is not an option for you, maybe this is a viable alternative.

I can't say much about how to test your code against Authorize.net, I'm afraid.

Tomalak  2009-02-18 17:32:53
Thanks for the help.Question was about testing my code with new auth.net protocol before going live. I've updated the post text.
Sergii  2009-02-18 17:56:37
OIC. Updated my answer as well.
Tomalak  2009-02-18 18:08:46
A: 

Okay, finally The Gods Have Spoken -- Auth.net Developer replied:

We would recommend that each user verify their server SSL encryption protocol settings. If you are unsure where to find them a Google search of the server type along with SSL 3.0 should provide helpful information in this regard. Additionally, the server support resources should provide this information.

This change has been released to the test environment. You may use the following shared test account for testing purposes if you wish:

Login ID: xxxxxxxx

Password: xxxxxxxxx

Login URL: https://test.authorize.net

API Login ID: xxxxxxxx

Transaction Key: xxxxxxxxx

Post to URL: https://test.authorize.net/gateway/transact.dll

Note: this is new test account, but I think that all test accounts are changed now, will try to test.

At least, now I am able to test my transactions in sandbox before changes do live, that's what I've wanted.

Sergii  2009-02-25 21:04:10

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java