cURL / Mailing Lists / curl-users / Single Mail

curl-users

Re: cURL and SSL for posting to Authorize.Net

From: Paul Hoza <paulhoza_at_NearlyEverything.com>
Date: Mon, 02 Dec 2002 21:49:15 -0700

Perhaps this is premature, but here's a follow up about my earlier
post. My hosting company has reverted cURL to a previous version and I am
now able to complete the transaction described below without the '-k'
option. In essence, this problem is solved, but I don't like going back to
older versions unless I understand why... please add insight to this issue
if you would so I understand what's going on for the future. Please
include advice about the versions I'm now using, as well as implications of
staying/upgrading.

Current version info:
     # /usr/bin/curl -V
     curl 7.9.8 (i386-redhat-linux-gnu) libcurl 7.9.8 (OpenSSL 0.9.6b)

Here is the response from my hosting company about what they did. I don't
like that there is still an error reported, even though my application
works now:

/* **********************
I ended up completely removing curl from your server. Then, I installed a
slightly older version of curl back onto the server that had worked on
another server of ours.

When I tested, I got a different error message than before. I was testing
with this command:
   # curl https://localhost/

And it went from giving me this:
   curl: (60) error setting cerficate verify locations

To this:
   curl: (35) SSL: error:140770FC:SSL
routines:SSL23_GET_SERVER_HELLO:unknown protocol

This error message seems a little more hopeful. Can you go ahead and try
your curl operations again? Let us know if you have any other ideas. Thanks.
******************** */

Thanks for the help.
Paul

>I'm using an open source PHP commerce cart system called osCommerce
>[www.oscommerce.com] and attempting to get a community-contributed module
>working right that connects to Authorize.Net's ADC Direct Response credit
>card system. The module uses cURL to post the AuthNet data and get a
>response using SSL, but I've not been able to get the call to work unless
>I use the '-k' option. Since this is transmitting credit card and
>customer data, I want it to be as secure as possible, so I think -k is not
>appropriate here, but I can't quite figure out what's happening... is it
>still secure or do I need to "fix" something??
>
>Thanks for any help you can provide. Here are some details:
>
>RH Linux 7.1 installed on a Virtual Private Server system using
>WEBppliance 3.1
>OpenSSL 0.9.6b
>cURL 7.10.2 (installed by the sysadmin from the server hosting company I use)
> # /usr/bin/curl -V
> curl 7.10.2 (i386-redhat-linux-gnu) libcurl/7.10.2 OpenSSL/0.9.6b
> zlib/1.1.3
>We have an SSL certificate on the site running properly
>
>Here's the call made from the PHP shopping cart module is supposed to be
>this, but nothing happens that I can see:
> exec("/usr/bin/curl -d \"$data\"
> https://secure.authorize.net/gateway/transact.dll", $response);
>
>Here's what actually works (note the dropped \" around $data?.. someone
>suggested that and it won't work otherwise. Would someone explain what
>this should be if I've got it wrong?)
> exec("/usr/bin/curl -k -d $data
> https://secure.authorize.net/gateway/transact.dll", $response);
>
>So, basically, is it using SSL or not?? Is it secure like this, or should
>I be doing something different?
>
>Any help GREATLY appreciated!! :-)
>
>Regards,
>Paul Hoza
>NearlyEverything.com

-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T
handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
Received on 2002-12-03