[SOLVED] [#7418] Authorize.net MD5 hash phased out

Hi,
We built a new website and plan to use authorize.net with CB Subs. However, in CB Subs payment settings for authorize.net, there is a field for m5-hash. However, authorize.net account no longer provides the md5 hash.

So, does it mean that authorize.net won't work currently with CB Subs? Please advise.

Are you sure ?

According to their very short noticed dates here support.authorize.net/s/article/MD5-Hash-End-of-Life-Signature-Key-Replacement :

Phase 1 - As of February 11, 2019 we have removed ability to configure or update MD5 Hash setting in the Merchant Interface. Merchants who had this setting configured have already been emailed/contacted.

Phase 2 - Stop sending the MD5 Hash data element in the API response. To continue verifying via hash, this will require applications to support the SHA-512 hash via signature key.

• Sandbox has been updated as of March 7, 2019 to stop populating the MD5 Hash value, but the field will still be present but empty.
• Production will be updated on [strike]March 14, 2019[/strike] March 28, 2019 (updated) to stop populating the MD5 Hash value, but the field will still be present but empty.

So it should still be provided.

We are working to provide a new CBSubs version with SHA2 hash for AIM and ARB, but unfortunately, we have to wait 5-6 more days to see a first silent post with ARB renewals, to be able to fully implement and test SHA2 since their test-server enforces the 7 days minimum period for auto-recurring payments

If you have a sample SHA2 ARB silent post from your history logs/notifications logs, with the corresponding SH2 key for us to try to implement the undocumented ARB SHA2 hash, please PM it to me.

Worst case, we will provide a way to remove the MD5 hash check, which is what most carts have done!!! Which is quite sad.

Needless to say that we do not recommend Authorize.net for new projects, given their very short notice phase-out notices.

You should contact your Auth.net sales representative and protest for such short-notice business-breaking practices.

Just got following automatic email from authorize.net:

MD5 Hash End of Life Moved to June 28, 2019

After reviewing feedback concerning the production cutoff date for the MD5 Hash, we are pushing back the production update from March 14, 2019, to June 28, 2019. We will continue to review feedback and consider further date changes as needed over the next month.

So, customers calling them works. For such business-breaking changes, a clear drop-off date and active advance customer notification should be minimum 12 to 24 months in advance.

Ok, after thorough tests on their Sandbox server (had to setup, then wait 7 days to get a first ARB Silent Post), situation is as follows with that Authorize.net sandbox server:

x_MD5_Hash = ''
x_SHA2_Hash = ''

for ARB Silent Posts (second one is a bug at Authorize.net, acknowledged in their public community forums.

So have made MD5 check optional: Just leave MD5 Hash parameter out in CBSubs gateway setting.

Have also added a SHA2 "Authorize.net Signature Key" (optional too): If set, it will check for the x_SHA2_Hash and fail if not present or not matching the computed hash. However without any documentation or sample of a SHA2-signed ARB Silent Post, I could only guess how the signing is done. If you have (after upgrade to latest CBSubs Nightly), a Notification of a re-occurring payment with the POST x_SHA2_Hash parameter not empty, please PM me the POST so I can check if my guess is right.

Please see full reply here:
www.joomlapolis.com/forum/277-cb-paid-subscriptions-support/240429-7418-authorize-net-is-phasing-out-the-md5-hash?start=6#311341

Hi,

I updated CB Subs, and tried the payment. I then got this error message, and payment failed:

HTTPS POST Connection to payment gateway server failed (check system information in CBSubs Settings): ERROR: cURL error 60: SSL certificate problem: self signed certificate in certificate chain ()

Update:
I updated CB and that fixed the issue.