DISABLE SSL 3.0, ENABLE TLS 1.0+ POODLE

[jmestep]

I'm asking this so other posters can see the answer. I got an email from Authorizenet that said the following in part. Could Able verify that the Authorize.net gateway code is OK? I'm assuming it is since this seems to affect a minimal number of merchants

Your Payment Gateway ID: xx
Dear Authorize.Net Merchant:
As you may be aware, an Internet-wide security issue, commonly referred to as POODLE, has been identified in the last two weeks and affects anyone using older Web browsers that use SSL version 3 (SSLv3), specifically Internet Explorer (IE) 6. This issue creates a vulnerability that could allow hackers to gain access to any connection using this outdated Web browser.
Authorize.Net itself is not vulnerable to POODLE, but we are making changes to our systems to assure that we are providing our merchants and their customers with the highest degree of security possible.
To that end, on November 4, 2014, we will be disabling the use of SSLv3 within our systems. This means that if your website or shopping cart solution uses SSLv3 to send transactions to Authorize.Net, you will no longer be able to process transactions. You will also no longer be able to access any secure Authorize.Net pages from IE6.
We expect that a minimal number of our merchants will be affected. However, because we do not control how your particular site or solution sends transactions to us, this change could potentially impact your transaction processing. Please immediately contact your web developer or shopping cart solution to see if you will need to make any changes to your site or solution before November 4th.
Most modern shopping carts do not use this old technology in their solutions-in general, POODLE will only affect solutions that are older and use SSLv3. But again, because we do not control which method your systems use for transaction processing, we are not able to advise whether or not this change will affect you site or solution. We strongly urge you to contact your web developer or payment solution provider to find out for sure.
We apologize for the short notice, but security is of the utmost concern. Authorize.Net and most other payment and technology companies are disabling SSLv3 as soon as possible to help make sure that hackers aren't able to exploit this vulnerability.
If you have any questions regarding this change, please review our POODLE FAQs. You can also check out this post in the developer community for instructions to give to your web or solution developer regarding the upcoming change.
Thank you for your prompt attention to this urgent issue.
Sincerely,
Authorize.Net

[mazhar]

We don't do any SSL version specific handling in our codes. Our code will simply utilize whats configured on web server. In order to protect against poodle hosts will need to disable SSL3 on servers. I think most of the shared host may have already disabled SSL 3 but any one with self hosted server may need to do the same.

[Shopping Cart Admin]

Please see the following link:

https://www.nartac.com/Products/IISCrypto/

Click the PCI button it will correct all the settings, just be sure to uncheck ssl 3.0. This will require a re-boot to take effect.

If you're running Windows 2003 server be sure to apply the patch mentioned at the bottom of the page to enable the AES cipher suite.

This tool is handy as it will re-order the cipher suites correctly (not available on 2003)

[NC Software]

Running 2003 - hello, this is 2014!!!! Geeeez! Upgrade your servers people!

[Shopping Cart Admin]

Hello All,

PayPal will be stopping support for SSL 3.0 on December 3rd!

[ChipWV]

Hello All,

PayPal will be stopping support for SSL 3.0 on December 3rd!

From the previous comments "We don't do any SSL version specific handling in our codes", I'm assuming this does not affect our AC integration with PayFlow Pro and regular PayPal processing?

I just got a call and email from a PayPal "Outreach Specialist" regarding dropping SSL 3.0 support. I think we've had SSL 3.0 disabled for over a month now.

Just wanting to confirm.

Thanks
Chip

[rjh]

Able uses the dll paypal_base.dll which uses SOAP to communicate with PayPal. I cannot find any details on this DLL and I cannot tell if it uses SSL. It does not appear to me that it goes through our web server, but I'm not sure. So the question still stands, is AC7 going to still work with PayPal when they turn off SSL 3.0?

-Rich

[Shopping Cart Admin]

Hello Rich,

You need to disable SSl v3 on the webserver and PayPal will continue to world over TLS 1.0+

[NC Software]

I personally don't think anything is required of any client (AC) site as the gateway is the one that establishes the handshake. If the gateway doesn't support SSL v3 such as they have it disabled then you will never be able to connect via that protocol. For example, if you tried to make a XYZ protocol connection to my servers and I don't support XYZ, the connection will fail. PayPal in this case is disabling their protocol on Dec 3rd so if any integration was specifically trying to connect via SSL v3 it would fail. There are no AC components such as the PayPal payment API that specifically selects a protocol. It's certainly a good practice to disable the security protocols that have vulnerabilities on your server(s) to ensure anyone connecting to you does not establish a connection to your server via an unwanted protocol.