Avatar of Vas
Vas
Flag for United States of America asked on

Disabled SSLv2 and SSLv3 but Wireshark is still showing attempted SSL connections to Authorize.net

With the POODLE vulnerability, credit card gateway Authorize.NET has disabled support for SSLv3/SSLv2 and is requiring TLS to be used to connect to their service.

I'm running into an odd issue however.   I have two web servers, both running the same web ecommerce application (Lagarde Storefront 6.8.0.3), our developer is adamant that the exact same code is running on both web servers (each site just has a different domain name)

Both servers have SSLv2 and SSLv3 disabled, and this is confirmed by https://www.poodlescan.com/

This is also confirmed by the registry:

SSL3 client
SSL3 server

However, one site cannot process credit card transactions (Authorize.net is refusing or closing the connection), and I have confirmed different behavior via Wireshark.

One server is trying to connect using SSL v3,   while the working server is using TLS:


SSLv3
TLS



If the code is identical on both servers as the developer claims,  and SSL v2 and SSL v3 is confirmed DISABLED on both servers, what could it possibly be on the one server that is trying to use SSL to connect?  (if not the web application code)


The working server (using TLS) is running WIndows Server 2003 and the server trying to connect using SSL is a Server 2008 R2 server.


Any ideas what else I can check (server-side) that may be contributing to the connection attempting SSL rather than TLS?


Thanks
SSL / HTTPSMicrosoft IIS Web ServerWindows Server 2008

Avatar of undefined
Last Comment
David Johnson, CD

8/22/2022 - Mon
Vas

ASKER
I have a bit more info, at least for how to fix it in the web application code, however it seems there must be a way to set this for the entire server but I haven't been able to track this down.

For ASP.NET, putting something like this in the code will force the web application to use TLS for outgoing connections:
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls


What I still need to know is where in IIS6 and IIS7 to force this for the entire server so no coding changes are needed.


Thanks
ASKER CERTIFIED SOLUTION
David Johnson, CD

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Vas

ASKER
Thanks, looks like that is only for Windows Server 2008 R2 and higher, so just noting that here for anyone else that finds this thread.

This is very useful however so thank you for that, even if manually making changes one can easily refer to the powershell code for the needed changes and it's nicely commented.

Appreciate it.
David Johnson, CD

you're welcome
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy