Re: SSL protocol via custom module?

On Fri, 04 Aug 2006 10:28:16 -0700, petesouthwest wrote:
I have bought a 'well known' shopping cart program which I'm trying
to use with a 'well known' payment service provider.
[...]
The payment service provider says that in order for the process to
work, the server hosting my shopping cart must have SSL support. This
is apparently as the process uses a POST to send a simple
acknowledgement back to an HTTPS website, for handshaking purposes. The
payment service provider says that as the hosts system is a Linux box
it requires crypt::SSLeay and port 443 open.

Your problem appears to be that you're confused by not understanding the
technology sufficiently and dealing with people who are using the terms
improperly so that when you talk to someone else, they think you mean
something different from what you intend.

Is your shopping cart program designed and documented to work with this
payment service provider? You're not trying to integrate a shopping cart
from one vendor with a payment service module from another, are you? That
would require hacking of some degree, possibly considerable.

Here's how the process happens: a user on their browser makes a
HTTP connection to your web server to buy something. At least at the
point where they supply credit card data, *that* connection needs to be
secured via SSL so that no one snoops the information. So your site host
needs to open port 443 and the URL the CC data is posted to needs to use
the https scheme. There is another way that this is sometimes done where
your program *redirects* the user to a secure site run by the payment
service provider before they enter CC data, but it sounds like you're not
doing that.

Your shopping cart program then sends the CC data off to the payment
service provider to be booked. That transaction is also done via HTTP and
needs to be secured via SSL again. Your program is now acting as a web
client. Your site host does *not* need to open port 443 for *this*
operation, because you're connecting to port 443 on the *remote* host.
It's conceivable that your host blocks outgoing connections such as that
made by your program out of some misplaced sense of security. I would
dump anyone that did that.

However after a week of pushing the cart company they now say that that
SSL support is not required as their own module, an sc.pm file in
stored in the cgi-bin uploaded during the cart upload provides the SSL
support.

Searching for their scripts for lines like 'new HTTP::Request
"POST","url"; certainly draws a blank.

The shopping cart scripts appear to post the information by calling a
function
::HTTPS_SendAndReceive('www.xxxx.com', 443,
'/xxx.dll/apc/apc', $sPostedData, 'POST', $::TRUE, $ssl_socket);


A simple search on the above shows you asking the same question (with more
detail) at http://community.actinic.com/showthread.php?p=117075 . The
answer to your last query there is that the code uses Net::SSL to make the
secure connection. Net::SSL comes with Crypt::SSLeay, therefore you need
to install the Crypt::SSLeay distribution. See
http://search.cpan.org/~chamas/Crypt-SSLeay-0.51/ .

--
Peter Scott
http://www.perlmedic.com/
http://www.perldebugged.com/

.

Relevant Pages