0

since yesterday afternoon at 1.30pm, two separately written applications that access the SagePay payment gateway and the Reporting API Endpoint have both returned the following error:

The server committed a protocol violation. Section=ResponseStatusLine

This occurs in the code at the point of 

System.Net.HttpWebRequest.GetResponse()

The payment application hasn't changed since 2009 and was written by an ex-member of staff and is ironically scheduled to be replaced in 3 weeks. The Reporting application was written at the end of last year and has worked since inception until yesterday.

I have spoken to SagePay and they advise that nothing has happened from their perspective and the only thing on my mind was the recent disabling of SSLv3 last month but at the time, the reporting tool was changed to use TLS and I have checked this today and it is indeed using TLS.

Is anyone able to shed any light on what could be causing this please?

Thank you.

closer
  • 11
  • 2
  • I am also having this problem since yesterday. I have spoken to SagePay and they say that it is indeed due to us using SSLv3, although this was switched off in November and online tools show that we're not using it anymore. I'll let you know if I get anything further from SagePay. – louiser89 Feb 20 '15 at 11:39

3 Answers3

1

OK - I have a fix for this :)

Having spoken to Sagepay, they no longer support Triple DES encryption, only AES. By default Windows 2003 won't use AES - hence the problem.

However, if you install the fix in this article: https://support.microsoft.com/kb/948963 it will enable AES and fix the problem.

BTW, it seems like the link to the hotfix in that article is broken, but this link works: http://hotfixv4.microsoft.com/Windows%20Server%202003/sp3/Fix192447/3790/free/351385_ENU_i386_zip.exe

It does require a reboot, and you will need to disable all protocols apart from TLS1.0 in order for this to work.

Richard Day
  • 11
  • 1
0

We have the same problem. One suggestion is to add the following to the web.config:

<system.net>
    <settings>
        <httpWebRequest useUnsafeHeaderParsing="true" />
    </settings>
</system.net>

This at least avoids the protocol violation, but leads to the following error for me instead:

The underlying connection was closed: The connection was closed unexpectedly.

One other point which I would be interested in your comment on, is that we can only reproduce this error on Windows 2003 servers. On Windows 2008 it works OK. I have also reproduced this on my Windows 7 dev machine by forcing it to connect via SSL3.

I have disabled SSL3 in Schannel for both client and server applications, but I am wondering if it is continuing to connect via SSL3 for some reason, rather than using TLS. Any thoughts?

Richard Day
  • 11
  • 1
  • I've checked this in fiddler and it is indeed connecting with TLS not SSL3. The only difference between the connection on Win2003 (which doesn't work) and the one on Win7 (which does work) is the cipher. Win7 is using AES and Win2003 is using 3DES. I am trying to find out from Sagepay what their minimum cipher requirements are. – Richard Day Feb 23 '15 at 09:21
0

I have just spoken to someone at SagePay about this who says that this is an issue with the connection using SSLv3. We thought we had disabled this in November last year, but he said that when using Windows Server 2003, he’s heard that sometimes it looks like the SSLv3 is being disabled but that when it gets to the last step it doesn’t do it for some reason.

I'm looking into this now with our server hosts, but this could be something for you to look at too.

louiser89
  • 111
  • 3