Main payments gateway in Spain (RedSys) rejects Let's Encrypt certificates

AlfonsoML · 2016-07-07 12:48:32 UTC

In Spain most of the banks use RedSys as the payment gateway, and we’ve added recently a certificate to one site where we’re selling some goods.
Upon testing we noticed that then the notifications did stop arriving and upon asking them they replied that this is not one of the certification authorities that they recognize (besides that it also fails if the domain uses SNI).
They pointed us to a document from January 2015 with the list of entities:
ACE/Verisign
Comodo
Digi-Sign
Geotrust/ Equifax
Starfield Technologies
Thawte
IPSCA
Agencia Catalana de Certificación
CyberTrust
Globalsign
Agencia Valenciana de Certificación

As time moves, more people from Spain will face this problem, so it would be great to make them realize that they must update their software ASAP because people won’t stop using let’s encrypt just for them. The automated renewal is just too good.

At the very least, I hope that this post comes out when people searches about problems with Let’s Encrypt and Redsys.

tialaramex · 2016-07-07 12:57:16 UTC

Is the document they pointed you to publicly available, e.g. on a web page you can link?

I did a quick Google and wasn’t able to find information publicly so it might only be available to sites like yourselves that actually use RedSys but if it is please link it here.

Of course the choice of which Certification Authorities are trusted must be left up to the payment gateway as they’re the ones taking the risk if they are fooled by a bad CA. Still as Let’s Encrypt popularity increases it may be possible to persuade RedSys to trust either ISRG (the root CA for Let’s Encrypt itself) or IdenTrust, which is widely trusted by people’s web browsers and cross-signs today’s Let’s Encrypt certificates and thus make a Let’s Encrypt certificate useful for this purpose too.

AlfonsoML · 2016-07-07 14:28:20 UTC

No, I don’t think that they release this info publicly, they sent it to us only after identifying our user code, so I won’t be the one that uploads it to anywhere as it has a note on the side that it can’t be distributed.

The https connection here only matters for the backed communication between their servers and us, and they happily accept plain http (that’s what we have done, reverting the notification url to http), so there’s no extra risk about accepting other CA. I would say that the problem is that their are using outdated Java code (they don’t accept SNI) and so including a new CA means extra work that they prefer not to do.

As I finished in the initial post, I wrote here because other people might find the same problem, and at least they’ll be able to find easier the answer and if everyone of us ask keeps asking them to support Let’s encrypt they’ll do it sooner.

tdelmas · 2016-07-08 21:30:55 UTC

It’s a joke, right? Please, tell me it’s a joke…

AlfonsoML · 2016-07-08 21:45:19 UTC

As I said, this is Spain. Enough said.

pfg · 2016-07-08 21:52:58 UTC

Yeah, that’s a common problem with many payment APIs. PayPal’s IPN still supports HTTP URLs as well.

Hopefully Let’s Encrypt will help with changing those policies, given that there’s no cost argument anymore.

tialaramex · 2016-07-09 09:37:48 UTC

To be fair, depending on what the back channel is used for, and how, the associated security risk may be small or even non-existent.

Until relatively recently the systems I’m responsible included such a back channel from a major payment gateway (not RedSys) which was over HTTPS because all our systems for machines only speak HTTPS, but all that was communicated over this link was essentially a series of messages like this:

“Hi I’m your payment gateway and I promise customer XYZ has just paid you $8.45”

No card details are moved, no authentication or credentials, about the worst I can imagine an attacker doing is either to block access (so that your system doesn’t know it was paid and maybe customers are inconvenienced) or to send a lot of spurious “payments” with guessed customer IDs and hope to choke your systems up that way.

Spying on this channel could I guess be valuable industrial espionage? Knowing how many sales you’re making? But they could also, much more easily, just count how many connections are made and guess from that even if you use SSL.

It’s important that the service used to transport customer credentials and authorize payments is properly secured, but the back channel is not part of that service in any payment gateway I’ve seen.

Also, and perhaps unknown to even most retailers, let alone ordinary card holders, the credit card system pre-dates real computerisation, so the Settlement step where your money is actually spent is not authenticated or secured in any way. Any VISA accepting company anywhere in the world can tell VISA that oh yeah, your card was used and you owe them $484.31 and VISA will pass that to your issuer who will expect you to pay $484.31, and ONLY if you refuse to pay will anybody investigate and find that the company has no proof whatsoever you owe a penny. All that stuff with card swiping, or even typing PINs into terminals, that’s the Authorization step, which is purely advisory and not required to move the money, it just provides proof if you later refuse to pay. So, check your card statements carefully. This was a Public Service Announcement.

AlfonsoML · 2016-07-09 16:14:02 UTC

Yes, it isn’t a big problem itself that the notification from the payment gateway is done on http because any credit card detail is only done on their secure site and then they send and asynchronous signed notification kinda like PayPal.

But hopefully they will start accepting Let’s encrypt, and any e-commerce site in Spain can use it and after a little while every site does in fact use it and then they require that any connection is always done with https, but for that they need to upgrade their code to support also SNI

Pablo · 2016-07-13 13:32:41 UTC

Hi,

here you can check Let’s Encrypt certificate is supported by Redsys. They add it few months ago. So the best it to contact their support again to fix your problem because the document that you have is outdated.

I hope it helps.

Cheers

AlfonsoML · 2016-07-13 14:12:56 UTC

Thank you
Although they sent me a version of that doc, it’s older than the one that you have posted.
It’s really nice on their side that when one client ask a question they reply with an outdated doc.

So that means that the problem is only the SNI and other people might be able to use Let’s Encrypt, and also that those that are hosting two domains on the same server can’t use a HTTPS notification with Redsys, no matter which CA they choose.

manyk · 2016-07-14 12:00:56 UTC

Hi,

Have you tried to switch from SNI to using SAN?
Some of the old apps don’t work well with SNI but are good with SAN.

system · 2016-08-13 12:01:09 UTC

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.