Hi All,
Authorize.net is ending the life of HMAC-MD5 and moving to HMAC-SHA512. What are my options for generating a fingerprint from HMAC-SHA512 using Lasso 8 on a Mac running OS 10.11? I have been using Authorize.net's Server Integration Method (SIM) for years now. That means I collect some information about my customer (name, address, etc.) and then pass the transaction to Authorize where credit card details are entered. Upon successfully charging the card (or not), Authorize passes the transaction back to my site where I take over again. In order to continue connecting with Authorize in this way, I need to upgrade the transaction fingerprint so that it uses HMAC-SHA512 instead of HMAC-MD5. I've been using the Lasso Encrypt_HMAC tag as follows. [var:'x_fp_hash'=(Encrypt_HMAC: $transactionkey, $x_login + '^' + $x_fp_sequence + '^' + ($utc_timestamp) + '^' + $x_amount + '^', -cram)] I know I've been procrastinating this move, but Authorize.net has stopped extending this rollout and is finally bringing HMAC-MD5 to a close. Mac OS 10.11 does support TLSv1.2 so I there may be a possible solution with os_process and curl. Steve Piercy wrote: > Lasso 8 can use TLS v1.2. Use os_process and shell > to invoke curl, and the operating system must > support TLS v1.2. My AuthorizeNet_AIM tag supports it. > It's easy, and the benefits in security and ease > of use of curl are totally worth it. I read Steve's github for implementing AuthorizeNet_AIM at https://github.com/stevepiercy/AuthorizeNet_AIM , but I'm not sure how to put all these pieces in place to get it working. Since I'm using SIM instead of AIM will Steve's tag even work for me? I'll keep at it but in the meantime, if someone could point me in the right direction I would certainly appreciate it. Thanks, Mike Ealy ############################################################# This message is sent to you because you are subscribed to the mailing list Lasso [hidden email] Official list archives available at http://www.lassotalk.com To unsubscribe, E-mail to: <[hidden email]> Send administrative queries to <[hidden email]> |
Hello Mike,
We have faced the same problem a few month age with a deprecated hashing mode in an online payment system... You may refer to this post : HMAC with openssl dgst -sha512 and Lasso 8.6 / CentOS http://lasso.2283332.n4.nabble.com/HMAC-with-openssl-dgst-sha512-and-Lasso-8-6-CentOS-td4646498.html <http://lasso.2283332.n4.nabble.com/HMAC-with-openssl-dgst-sha512-and-Lasso-8-6-CentOS-td4646498.html> In which we tried to defer the hashing to the system through OSProcess... In facts, and In the end we created a tag to call a PHP file itself returning the hash to Lasso with a PHP file calling hash_hmac() or pack() through an include_url() SImple, a bit dirty but working, after hours of fails with other trick... Regards JP - E SYSTEMES France ---- > Le 22 févr. 2019 à 14:00, Mike Ealy <[hidden email]> a écrit : > > Hi All, > > Authorize.net is ending the life of HMAC-MD5 and moving to HMAC-SHA512. What > are my options for generating a fingerprint from HMAC-SHA512 using Lasso 8 > on a Mac running OS 10.11? > > I have been using Authorize.net's Server Integration Method (SIM) for years > now. That means I collect some information about my customer (name, address, > etc.) and then pass the transaction to Authorize where credit card details > are entered. Upon successfully charging the card (or not), Authorize passes > the transaction back to my site where I take over again. > > In order to continue connecting with Authorize in this way, I need to > upgrade the transaction fingerprint so that it uses HMAC-SHA512 instead of > HMAC-MD5. I've been using the Lasso Encrypt_HMAC tag as follows. > > [var:'x_fp_hash'=(Encrypt_HMAC: $transactionkey, $x_login + '^' + > $x_fp_sequence + '^' + ($utc_timestamp) + '^' + $x_amount + '^', -cram)] > > I know I've been procrastinating this move, but Authorize.net has stopped > extending this rollout and is finally bringing HMAC-MD5 to a close. Mac OS > 10.11 does support TLSv1.2 so I there may be a possible solution with > os_process and curl. > > Steve Piercy wrote: >> Lasso 8 can use TLS v1.2. Use os_process and shell >> to invoke curl, and the operating system must >> support TLS v1.2. My AuthorizeNet_AIM tag supports it. >> It's easy, and the benefits in security and ease >> of use of curl are totally worth it. > > I read Steve's github for implementing AuthorizeNet_AIM at > https://github.com/stevepiercy/AuthorizeNet_AIM , but I'm not sure how to > put all these pieces in place to get it working. Since I'm using SIM instead > of AIM will Steve's tag even work for me? I'll keep at it but in the > meantime, if someone could point me in the right direction I would certainly > appreciate it. > > Thanks, > Mike Ealy > > > > > > ############################################################# > > This message is sent to you because you are subscribed to > the mailing list Lasso [hidden email] > Official list archives available at http://www.lassotalk.com > To unsubscribe, E-mail to: <[hidden email]> > Send administrative queries to <[hidden email]> ############################################################# This message is sent to you because you are subscribed to the mailing list Lasso [hidden email] Official list archives available at http://www.lassotalk.com To unsubscribe, E-mail to: <[hidden email]> Send administrative queries to <[hidden email]> |
In reply to this post by Mike Ealy-2
My AIM tag has nothing to do with SIM. They're totally
different methods. The only thing they share in common is that Authorize.net deprecated both. https://developer.authorize.net/api/upgrade_guide/ If you ignore that advice, you can try to hobble along to get your SIM method to work. First check available ciphers with `openssl dgst --help`. If HMAC-SHA512 is not listed, or the command does not run, then you need to install a more recent version of openssl, preferably via brew. Next try `echo 'string_to_hash' | openssl dgst -sha512`. It should output a hash. Note it for comparison later. Nest install [shell] and configure os_process (which the Language Guide thoroughly documents). After you've got that all set up, then this will get you a hash. #hash = shell('echo -n ' + #string_to_hash + ' | /path/to/openssl dgst -sha512') --steve On 2/22/19 at 8:00 AM, [hidden email] (Mike Ealy) pronounced: >Hi All, > >Authorize.net is ending the life of HMAC-MD5 and moving to HMAC-SHA512. What >are my options for generating a fingerprint from HMAC-SHA512 using Lasso 8 >on a Mac running OS 10.11? > >I have been using Authorize.net's Server Integration Method (SIM) for years >now. That means I collect some information about my customer (name, address, >etc.) and then pass the transaction to Authorize where credit card details >are entered. Upon successfully charging the card (or not), Authorize passes >the transaction back to my site where I take over again. > >In order to continue connecting with Authorize in this way, I need to >upgrade the transaction fingerprint so that it uses HMAC-SHA512 instead of >HMAC-MD5. I've been using the Lasso Encrypt_HMAC tag as follows. > >[var:'x_fp_hash'=(Encrypt_HMAC: $transactionkey, $x_login + '^' + >$x_fp_sequence + '^' + ($utc_timestamp) + '^' + $x_amount + '^', -cram)] > >I know I've been procrastinating this move, but Authorize.net has stopped >extending this rollout and is finally bringing HMAC-MD5 to a close. Mac OS >10.11 does support TLSv1.2 so I there may be a possible solution with >os_process and curl. > >Steve Piercy wrote: >>Lasso 8 can use TLS v1.2. Use os_process and shell >>to invoke curl, and the operating system must >>support TLS v1.2. My AuthorizeNet_AIM tag supports it. >>It's easy, and the benefits in security and ease >>of use of curl are totally worth it. > >I read Steve's github for implementing AuthorizeNet_AIM at >https://github.com/stevepiercy/AuthorizeNet_AIM , but I'm not sure how to >put all these pieces in place to get it working. Since I'm using SIM instead >of AIM will Steve's tag even work for me? I'll keep at it but in the >meantime, if someone could point me in the right direction I would certainly >appreciate it. > >Thanks, >Mike Ealy > > > > > >############################################################# > >This message is sent to you because you are subscribed to >the mailing list Lasso [hidden email] >Official list archives available at http://www.lassotalk.com >To unsubscribe, E-mail to: <[hidden email]> >Send administrative queries to <[hidden email]> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Steve Piercy Website Builder Eugene, OR <[hidden email]> <http://www.stevepiercy.com/> ############################################################# This message is sent to you because you are subscribed to the mailing list Lasso [hidden email] Official list archives available at http://www.lassotalk.com To unsubscribe, E-mail to: <[hidden email]> Send administrative queries to <[hidden email]> |
I was able to create an -sha512 hash using your guidance. Thanks Steve! I'll
try to move to the Accept Hosted option with Authorize. Seems over my head at first look. I'm going to try to stick with the payment form hosted by Authorize where they will pass the transaction back to my site after processing the cc. Advice from anyone who has implemented the Accept Hosted option with Lasso 8 would be appreciated. Mike > My AIM tag has nothing to do with SIM. They're totally > different methods. The only thing they share in common is that > Authorize.net deprecated both. > > https://developer.authorize.net/api/upgrade_guide/ > > If you ignore that advice, you can try to hobble along to get > your SIM method to work. > > First check available ciphers with `openssl dgst --help`. > > If HMAC-SHA512 is not listed, or the command does not run, then > you need to install a more recent version of openssl, preferably > via brew. > > Next try `echo 'string_to_hash' | openssl dgst -sha512`. It > should output a hash. Note it for comparison later. > > Nest install [shell] and configure os_process (which the > Language Guide thoroughly documents). > > After you've got that all set up, then this will get you a hash. > > #hash = shell('echo -n ' + #string_to_hash + ' | > /path/to/openssl dgst -sha512') > > --steve > > > On 2/22/19 at 8:00 AM, [hidden email] (Mike Ealy) pronounced: > >> Hi All, >> >> Authorize.net is ending the life of HMAC-MD5 and moving to HMAC-SHA512. What >> are my options for generating a fingerprint from HMAC-SHA512 using Lasso 8 >> on a Mac running OS 10.11? >> >> I have been using Authorize.net's Server Integration Method (SIM) for years >> now. That means I collect some information about my customer (name, address, >> etc.) and then pass the transaction to Authorize where credit card details >> are entered. Upon successfully charging the card (or not), Authorize passes >> the transaction back to my site where I take over again. >> >> In order to continue connecting with Authorize in this way, I need to >> upgrade the transaction fingerprint so that it uses HMAC-SHA512 instead of >> HMAC-MD5. I've been using the Lasso Encrypt_HMAC tag as follows. >> >> [var:'x_fp_hash'=(Encrypt_HMAC: $transactionkey, $x_login + '^' + >> $x_fp_sequence + '^' + ($utc_timestamp) + '^' + $x_amount + '^', -cram)] >> >> I know I've been procrastinating this move, but Authorize.net has stopped >> extending this rollout and is finally bringing HMAC-MD5 to a close. Mac OS >> 10.11 does support TLSv1.2 so I there may be a possible solution with >> os_process and curl. >> >> Steve Piercy wrote: >>> Lasso 8 can use TLS v1.2. Use os_process and shell >>> to invoke curl, and the operating system must >>> support TLS v1.2. My AuthorizeNet_AIM tag supports it. >>> It's easy, and the benefits in security and ease >>> of use of curl are totally worth it. >> >> I read Steve's github for implementing AuthorizeNet_AIM at >> https://github.com/stevepiercy/AuthorizeNet_AIM , but I'm not sure how to >> put all these pieces in place to get it working. Since I'm using SIM instead >> of AIM will Steve's tag even work for me? I'll keep at it but in the >> meantime, if someone could point me in the right direction I would certainly >> appreciate it. >> >> Thanks, >> Mike Ealy >> >> >> >> >> >> ############################################################# >> >> This message is sent to you because you are subscribed to >> the mailing list Lasso [hidden email] >> Official list archives available at http://www.lassotalk.com >> To unsubscribe, E-mail to: <[hidden email]> >> Send administrative queries to <[hidden email]> > > -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- > Steve Piercy Website Builder Eugene, OR > <[hidden email]> <http://www.stevepiercy.com/> > > > ############################################################# > > This message is sent to you because you are subscribed to > the mailing list Lasso [hidden email] > Official list archives available at http://www.lassotalk.com > To unsubscribe, E-mail to: <[hidden email]> > Send administrative queries to <[hidden email]> ############################################################# This message is sent to you because you are subscribed to the mailing list Lasso [hidden email] Official list archives available at http://www.lassotalk.com To unsubscribe, E-mail to: <[hidden email]> Send administrative queries to <[hidden email]> |
After reading the documentation, you will need to ask specific
questions about what you do not understand. https://developer.authorize.net/api/reference/features/accept_hosted.html I do not recommend setting it aside because it is over your head. I made the same avoidance mistake by sticking with Lasso longer than I should have and deferred diving into Python and the Pyramid web framework. I should have just sucked it up and taken the leap back in 2010 instead waiting a couple of years. Now I have emails sent to [hidden email] bouncing due to a "451 Could not load DRD" error when my legacy Lasso 8.6 server serial claims it has expired when it has not, and the Server/SiteAdmin goes into lockdown mode. --steve On 2/23/19 at 9:38 AM, [hidden email] (Mike Ealy) pronounced: >I was able to create an -sha512 hash using your guidance. Thanks Steve! I'll >try to move to the Accept Hosted option with Authorize. Seems over my head >at first look. I'm going to try to stick with the payment form hosted by >Authorize where they will pass the transaction back to my site after >processing the cc. Advice from anyone who has implemented the Accept Hosted >option with Lasso 8 would be appreciated. > >Mike > > > >>My AIM tag has nothing to do with SIM. They're totally >>different methods. The only thing they share in common is that >>Authorize.net deprecated both. >> >>https://developer.authorize.net/api/upgrade_guide/ >> >>If you ignore that advice, you can try to hobble along to get >>your SIM method to work. >> >>First check available ciphers with `openssl dgst --help`. >> >>If HMAC-SHA512 is not listed, or the command does not run, then >>you need to install a more recent version of openssl, preferably >>via brew. >> >>Next try `echo 'string_to_hash' | openssl dgst -sha512`. It >>should output a hash. Note it for comparison later. >> >>Nest install [shell] and configure os_process (which the >>Language Guide thoroughly documents). >> >>After you've got that all set up, then this will get you a hash. >> >>#hash = shell('echo -n ' + #string_to_hash + ' | >>/path/to/openssl dgst -sha512') >> >>--steve >> >> >>On 2/22/19 at 8:00 AM, [hidden email] (Mike Ealy) pronounced: >> >>> Hi All, >>> Authorize.net is ending the life of HMAC-MD5 and moving to >>>HMAC-SHA512. What >>> are my options for generating a fingerprint from HMAC-SHA512 using Lasso 8 >>> on a Mac running OS 10.11? >>> I have been using Authorize.net's Server Integration >>>Method (SIM) for years >>> now. That means I collect some information about my customer (name, address, >>> etc.) and then pass the transaction to Authorize where credit card details >>> are entered. Upon successfully charging the card (or not), Authorize passes >>> the transaction back to my site where I take over again. >>> In order to continue connecting with Authorize in this >>>way, I need to >>> upgrade the transaction fingerprint so that it uses HMAC-SHA512 instead of >>> HMAC-MD5. I've been using the Lasso Encrypt_HMAC tag as follows. >>> [var:'x_fp_hash'=(Encrypt_HMAC: $transactionkey, $x_login >>>+ '^' + >>> $x_fp_sequence + '^' + ($utc_timestamp) + '^' + $x_amount + '^', -cram)] >>> I know I've been procrastinating this move, but >>>Authorize.net has stopped >>> extending this rollout and is finally bringing HMAC-MD5 to a close. Mac OS >>> 10.11 does support TLSv1.2 so I there may be a possible solution with >>> os_process and curl. >>> Steve Piercy wrote: >>>> Lasso 8 can use TLS v1.2. Use os_process and shell >>>> to invoke curl, and the operating system must >>>> support TLS v1.2. My AuthorizeNet_AIM tag supports it. >>>> It's easy, and the benefits in security and ease >>>> of use of curl are totally worth it. >>> I read Steve's github for implementing AuthorizeNet_AIM at >>> https://github.com/stevepiercy/AuthorizeNet_AIM , but I'm not sure how to >>> put all these pieces in place to get it working. Since I'm using SIM instead >>> of AIM will Steve's tag even work for me? I'll keep at it but in the >>> meantime, if someone could point me in the right direction I would certainly >>> appreciate it. >>> Thanks, >>> Mike Ealy >>> ############################################################# >>> This message is sent to you because you are subscribed to >>> the mailing list Lasso [hidden email] >>> Official list archives available at http://www.lassotalk.com >>> To unsubscribe, E-mail to: <[hidden email]> >>> Send administrative queries to <[hidden email]> >> >>-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- >>Steve Piercy Website Builder Eugene, OR >><[hidden email]> <http://www.stevepiercy.com/> >> >> >>############################################################# >> >>This message is sent to you because you are subscribed to >>the mailing list Lasso [hidden email] >>Official list archives available at http://www.lassotalk.com >>To unsubscribe, E-mail to: <[hidden email]> >>Send administrative queries to <[hidden email]> > > > >############################################################# > >This message is sent to you because you are subscribed to >the mailing list Lasso [hidden email] >Official list archives available at http://www.lassotalk.com >To unsubscribe, E-mail to: <[hidden email]> >Send administrative queries to <[hidden email]> -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- Steve Piercy Website Builder Eugene, OR <[hidden email]> <http://www.stevepiercy.com/> ############################################################# This message is sent to you because you are subscribed to the mailing list Lasso [hidden email] Official list archives available at http://www.lassotalk.com To unsubscribe, E-mail to: <[hidden email]> Send administrative queries to <[hidden email]> |
Free forum by Nabble | Edit this page |