Thread: Authorize.net DPM (PA/DSS Compliant)
View Single Post
  #100  
Old 05-19-2015, 12:23 PM
 
snowman99 snowman99 is offline
 

Member
   
Join Date: Feb 2007
Posts: 21
 
Default Re: Authorize.net DPM (PA/DSS Compliant)
I have the BCSE DPM module working temporarily by forcing the Authorizenet response URL to a non-secure HTTP instead of HTTPS which is timing out.

Some history and a heads up...

This all came about because I wanted to verify on the Authorizenet sandbox that our site would continue working after May 26th when the SHA2 certs would be required. Their Sandbox has the upgraded ver 3.1 that will go live on May 26th. What I discovered while testing was that the BCSE module installed two years ago on our site had never been executing. I'm disappointed in myself for not checking more deeply. I relied on the installation instruction for the module and it's method for determining if the module was really executing. It turns out, that for us, with the Xcart's One Page Checkout installed, that the method is inconclusive. Whether the module is enabled or not the order submit page displayed is exactly the same. I hold myself fully responsible for this as I should have caught this then. I have since placed log messages in the code to indicate when it's Executing.

The installation instructions state:

If the mod is active and working correctly the credit card input fields will become disabled and gray out when the customer hits the button to submit the order.

In case anyone is interested here is what I think is the problem, but since I'm not a security expert it's going to be an uphill climb.

Our current certificate connection as shown on Chrome:

- Your connection to www.memorial-urns.com is encryted with obsolete crytography.
- Connection uses TLS 1.2
- Your connection is encrypted with aes_256_cbc, with SHA1 for message authentication, and ECDHE_RSA as the key exchange mechanism.

I'm getting all Green locks on Chrome. My understanding is this has to do with server settings having to do with encryption and not the certificate itself which is a SHA2 Cert as verified by QUALYS SSL Labs.

QUALYS LABS:
Key: RSA 2048 bits.
Signature Algorithm: SHA256withRSA

According to QUALYS Labs, The certificate path does show a Self Signed RSA 2048 bits / SHA1withRSA which is weak or insecure but no impact on root certificate.

I'll be sending this to Authorizenet and my host provider and see what they say.
__________________
X-cart Ver: 4.7.10 (Linux/Apache)
XCartMods Ultra Template
BCSE Authorize DPM Module
CDSEO 2.2.0
CDSEO Pro Admin
Reply With Quote