phpauthorize.nettls1.0tls1.1

Updating Authorize.net since TLS 1.0 and 1.1 is now deprecated


Background

I have taken over a making updates to a site that was running a very old version of PHP. After moving the site from 5.3 to 7.1 I have since noticed that authorize.net keeps sending out emails stating,

we will no longer allow TLS 1.0 and 1.1

It states that it will completely stop working within the next few weeks and I am not sure how to know if the site uses this deprecated version of TLS or not. I assume I should be able to know by the authorize.net classes in the application. But the code does not in any way reference TLS. I also assumed I could know by the endpoints being used, but I have yet to see anything regarding the version of TLS being used having to do with the endpoint being used.

Does anyone know of a sure fire way to test and know if we are indeed using an older version of TLS in our site? Or if it is possible we are using a very old version of authorize.net in the site that does not rely on TLS at all?

Example Code

These are beginning of a few of the classes used in the application. Maybe someone has some understanding of what specifies the version of TLS you are using by the version of the authorize.net api you are using.

class.aim.cc.license.php

<?php
/*********************/
/*                   */
/*  Dezend for PHP5  */
/*         NWS       */
/*      Nulled.WS    */
/*                   */
/*********************/

class authnetcc
{

    var $fields = array( );
    var $license_key;
    var $gateway_url = "https://secure.authorize.net/gateway/transact.dll";
    var $proxy_url;
    var $proxy_port;
    var $secure_source = false;
    var $error_code;
    var $error_message;
    var $error_field;
   ...

AIM.class.php

<?php
/**
* CLASS AIM
*
*
*/
class AIM {
    // login credentials that Authorize.net uses for verification
    var $login_id = '';
    var $trans_key = '';

    // server
    var $server = '';

    // credit card information
    var $cc_name = '';
    var $cc_number = '';
    var $cc_month = '';
    var $cc_year = '';
    var $cc_code = '';
    var $cc_type = '';

    // error stack array
    var $errorStack = array();

    // modes
    var $testMode = false;
    var $debugMode = false;
    var $errorRetries = 2;

    // buyer information
    var $buyer = array();

    // response information
    var $status = '';
    var $subcode = '';
    var $response_code = '';
    var $response_text = '';
    var $approval_code = '';
    var $md5hash = '';
    var $code = '';
    var $remaining = array();

    // constructor
    function __construct($login_id, $trans_key) {
        $this->login_id = $login_id;
        $this->trans_key = $trans_key;

        $this->setTesting(0);
    }
    ...

Solution

  • This is not a coding issue. Authorize.Net has been sending these emails out for over a year. They, like every other PCI compliant payment gateway, are required to use TLS 1.2 or better to remain PCI compliant and this means all of their customers must be compliant as well. This is something you configure on your server, not in your PHP code. If you are using a shared web hosting provider you need to contact them and ask to be moved to a server that supports TLS 1.2 or find a new host that supports it.

    FYI, you should also use the new Akamai URL for their API which also must be updated. The correct URL to use going forward is https://api2.authorize.net/xml/v1/request.api.