Geek Answers Handbook

Authorize.Net DPM does not work with SHA-256 SSL certificate

I use the Authorize.Net DPM (Direct Post Method) method for one specific e-commerce system that I manage.

We updated our SSL certificate for this site, and the new SSL certificate uses SHA-256 , not SHA-1, as recommended for added security.

However, now AUthoeize.Net can no longer send messages to my server. When processing a payment, I get a message:

An error occurred while trying to report this transaction to the seller. An error message was sent to the email. The following is an attempt to charge your credit card.

from the URL https://secure.authorize.net/gateway/transact.dll , instead of sending it back to my code, where I can display the "successful payment" page. After resuming this, I believe the problem is that the Authorize.Net Servers do not support SHA-2 certificates :

Does anyone know if Authorize.net will recognize the new SHA2 encryption? Our production servers that use this type of certificate do not receive RelayResponse.

We found an article about SHA2 encryption issues with WIN2003 KB968730 servers. We know that Authorize.net uses Win 2003 servers based on the http headers that tell us IIS6.0.

We just found that this is a real problem with Authorize.Net. We were able to acquire the SHA1 certificate, and now we can get a Relay response from Authorize.NET. .NET Relay Response authorization does not process G2 / SHA256 certificates. This will become a serious problem in 2014 when SHA1 certificates will not be available from suppliers, for example. GoDaddy etc.

I contacted Authorize.Net support, but they don't seem to even understand how their own product works, because the answers I get from them do not make sense:

We currently have no announcements on how to specifically use SHA-2 hashes to connect to our servers. Notifications of any changes to integration methods will be available in the merchant interface, as well as in the developer center on developer.authorize.net, if this happens.

I do not connect to their servers. They connect to my server ... so their support does not help ... how can I solve this? Is it safe / not to use SSL for the x_relay_url DPM feedback x_relay_url ? This seems like the safest offer, but I hesitate to do so.

+6
source share
2 answers

The solution I went with was to obtain an SSL certificate using the SHA-1 signing algorithm, not SHA-2.

The issue that the SHA-2 certificates are rejected by Authorize.net servers is reported in their system development team, but I don’t know if they will fix it.

+1
source

I myself ran into this problem.

I can verify that in my tests, when I switched my x_redirect_url parameter to use a site other than ssl, it started to redirect correctly back to my site. I can also verify that Authorize.net support does not know how their own products work; I had to explain to them how x_redirect_url works, and did not get any useful information from them about any check that they can do at the redirect URL, which could cause their system to refuse the redirect.

I thought this was due to a domain name mismatch in my dev environment, so I just made my use environment use non-ssl redirection. Then, when I launched my new site, I found that the problem remained with SSL forwarding on my production site, so I just switched it back to using non-ssl redirection on my production site until I get this sorting.

I have not yet restored the ssl certificate, because I’m not sure that it uses SHA1 or SHA2, and I don’t want to regenerate and reinstall it until I’m sure that the certificate is SHA1.

I find it difficult to determine which version of SHA it uses, because the Thumbprint Algorithm displays SHA1, but then I see SHA256RSA for the Signature Algorithm and sha256 for the signature hashing algorithm. So, if anyone knows if this means that I have SHA1 or SHA2, answer this answer.

0
source

More articles:


All Articles