Post by siptec » Wed Oct 29, 2014 3:19 am

Does Authorize.net's recent announcement affect OpenCart transactions? I have one project on 1.5.1.3 using Authorize.Net (AIM) payment gateway.

Authorize.net POODLE FAQ

User avatar
New member

Posts

Joined
Mon Sep 17, 2012 11:32 pm

Post by henkster » Wed Oct 29, 2014 5:36 am

A quick fix (rather than disabling SSLv3 on your server) is to force curl to use TLS instead.

In theory you can just pop this line in under the rest of the curl options (around line 104) in /catalog/controller/payment/authorize_aim.php

Code: Select all

curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
I've not tested this in Authorize.net's sandbox yet, just waiting until later when the site goes quieter.

Newbie

Posts

Joined
Wed Jul 13, 2011 5:34 am

Post by sparkybarkalot » Wed Oct 29, 2014 9:27 pm

Any testing results yet?


Posts

Joined
Thu Dec 24, 2009 12:03 am

Post by travist6983 » Wed Oct 29, 2014 9:48 pm

I was curious about this fix as well but i don't think it is working, unless i placed this line incorrectly... Here is what i did

Code: Select all

		curl_setopt($curl, CURLOPT_PORT, 443);
		curl_setopt($curl, CURLOPT_HEADER, 0);
		curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
		curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
		curl_setopt($curl, CURLOPT_FORBID_REUSE, 1);
		curl_setopt($curl, CURLOPT_FRESH_CONNECT, 1);
		curl_setopt($curl, CURLOPT_POST, 1);
		curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 10);
		curl_setopt($curl, CURLOPT_TIMEOUT, 10);
		curl_setopt($curl, CURLOPT_POSTFIELDS, http_build_query($data, '', '&'));
                curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
I tried to place an order and it failed and then i removed the added line and it went through.

New member

Posts

Joined
Sun Jan 09, 2011 1:49 am

Post by sparkybarkalot » Wed Oct 29, 2014 11:28 pm

The change suggested here, and which you made, is what authorize.net recommends:

http://community.developer.authorize.ne ... ba-p/48163

I haven't tested this myself, but I'll give it a whirl myself to see what happens and report back


Posts

Joined
Thu Dec 24, 2009 12:03 am

Post by bmekwa » Thu Oct 30, 2014 12:52 am

We also have couple of clients uses Authorize.net AIM in Opencart. Please post here how you guys fixed this issue, so we also can implement.

Newbie

Posts

Joined
Fri Oct 07, 2011 10:38 pm

Post by henkster » Thu Oct 30, 2014 12:15 pm

I haven't had the chance to test yet, but the code I posted is for a server where the version of curl is <v7.34.0

If your hosting uses v7.34.0 or later then this may work instead

Code: Select all

curl_setopt($curl_request, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
You can check the version of curl using the phpinfo() function.

Newbie

Posts

Joined
Wed Jul 13, 2011 5:34 am

Post by travist6983 » Fri Oct 31, 2014 1:59 am

I am not sure why it isnt working for me here but when i try the code for below 7.34.0 it doesnt work for me at all. I am using OpenCart Version 1.5.4

Do i need to remove anything from around 104 to make it work?

Thanks,
T

New member

Posts

Joined
Sun Jan 09, 2011 1:49 am

Post by bmekwa » Sun Nov 02, 2014 9:50 pm

Hey guys,

I couldnt test this yet since all our client sites are live sites. We have dedicated server with all shopping carts installed with SSL certificate. Some shopping carts we installed and live are bit older authorize.net versions. I could not understand the insights of this issue.

In which situations authorize.net AIM modules will initiate the connection with authize.net api using sslv3. Say we disable poodle attack on server wide. Still this issue can happen and should we add a code in authorize.net module.

I think guys who have detailed knowledge on how authorize.net module initiates the connection api will answer the question in which situations we have to add a fix to inbuild module.

Thank you.

Newbie

Posts

Joined
Fri Oct 07, 2011 10:38 pm

Post by siptec » Mon Nov 03, 2014 10:36 pm

Added the

Code: Select all

curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
to the authorize_aim.php.

Transaction still works. Need to wait for 11/5 to see if this is actually working.

Did disable SSLv3 on the hosting server. Only time will tell.

User avatar
New member

Posts

Joined
Mon Sep 17, 2012 11:32 pm

Post by websiteworld » Tue Nov 11, 2014 11:49 pm

You can check how your SSL certificate is signed here as well. I know the domain is odd but it's legit.

https://shaaaaaaaaaaaaa.com/

User avatar
New member

Posts

Joined
Thu Oct 18, 2012 3:11 am

Who is online

Users browsing this forum: No registered users and 4 guests