AnsweredAssumed Answered

Disabiling SSLv3 caused unexpected problems. Trying to understand why.

Question asked by J Vpci on Oct 19, 2014
Latest reply on Oct 22, 2014 by M K

Hello,

 

I'm not a security expert. I'm only repeating what others have told me. This is my summary of the situation:

 

I have a website that does ecommerce..

 

The hosting co disabled SSLv3. Should not have been a problem, however it had something to do with the server not being able to process credit cards.

 

The info I'm giving you comes from 3 sources: The CC processor, the hosting co, and the author of the module that processes the transactions between the server and the cc processor.

 

The system has been running for 3 years. On the 16th late at night it stopped working.

 

After 2+ days of searching, we found this: (the reason it took 2+ days is we could not contact the right person to look into the problem. Once that was done it was discovered in a few hours of work.)

 

The CC processor pay was using TLSv1.0. The website's SSL  was
using TLSv1.2. But the two would not handshake automatically.

 

The only way the author of the cart module could get the two to communicate was to hard code TLSv1.0.

 

Once that was done they started working.

 

The question is why? I would have thought there as some auto negotiation going in that would create a mutually agreed upon standard to communicate. But it had to be hard coded.

 

The hosting company says they have no idea.

 

The system works 100% fine with any other secure site. Only when we try to communicate with this one credit card processor does it require it to be hard coded instead of auto negotiating the connection. It seems to me the answer is the cc process must have it hard coded. This seems crazy to me. I'm worried that it may "break" again if they change something. And if that happens we'll be out of business again, at lease in regards to processing credit cards.

 

The system was working fine for years. That seems to indicate to that they were using SSLv3 until the hosting company disabled it, but then the systems could not agree on a protocol (? is that the right term?)

 

My questions are:

 

Why?

How to make sure it does not happen again.

What do I tell the cc process to get them to realize the problem was on their end. The server/website/module had no problem connecting with any other secure site using the auto negotiation system. (whatever it's called.)

 

Thank you.

Outcomes