Anybody received an official response yet to the test ending that outlines how they were breaking SHA256 integrations as well?

Was it not just me then ? Some of my things worked but most of the important shit didn't even though they all use the same auth mechanisms

there were 2 or 3 other people that mentioned HMAC-SHA256 not working, and that could be a bug in either the client-side signing code, header generation, or a bug on NetSuite’s side. For the majority of customer, HMAC-SHA256 was working, though. Not sure how you can actually verify that, until the next test window comes around.

Check the login audit trail, add a column for detail. It would be UnknownAlgorithm if you were actually sending SHA1 and SignatureError if there was something wrong with the actual signature

I was getting a success then a failure with a NonceUsed.. like it was redirecting me

The nonce has to be unique for each request. It sounds like your code was reusing the same one so only first request worked

The same code has been working for months, I dont think its possible

Interesting

yeah I am not sure, I'm a bit worried that I will have a 3 day outage.. so I will manually roll my oauth code instead of using the framework I did

Last comment makes it sound like it was fixed. I have some code I can share in python, I can send when I am on a PC

I would appreciate it if you have something, the one here -- https://netsuite.custhelp.com/app/answers/detail/a_id/42171 did not work Python RESTlet Authentication using Token>

@Kevin Weitzner this was my first version that calculated the token manually which I wrote while I was still figuring out python and hadn't figured out how to use oauthlib with HMAC256 https://gist.github.com/michoelchaikin/2962e73f6a788d8abc13c45d19b232a8. This is closer to the code I'm actually using which uses OAuth1Session - https://gist.github.com/michoelchaikin/100a569343a013c7181800f5325c5501. I haven't had any issues with nonce though didn't test it during the test window

Appreciate it, will test later this week and keep it in my back pocket for July .

If it helps, we are doing pretty much the same as Michoels second link as well (line 25). As far as we know we haven't had any issues reported by customers.

Thanks I'll probably try to just change to this method then

out of 1000+ customers, we had 12ish have issues. We were getting just strange issues, even with our native integration that don't use SHA. All the issues went away when the test window stopped. Getting "Internal Server Error" returns, but again only on like 1% of our customer base. They keep saying they ended the test early because it caused problems for vendors who didn't upgrade to SHA256. But that WAS THE POINT of the test, it was successfully causing pain, so for it to end premature points to other problems their test caused.

ICYMI: Test Window for TBA HMAC SHA-1 Signature Method Ends Early
This notification is to inform you that today's test window prohibiting the use of the HMAC SHA-1 signature method for Token-based Authentication (TBA) integration has ended earlier than originally planned.
The TBA HMAC SHA-1 test window will be rescheduled. We will notify you when the new schedule has been determined.
If you have more questions about this test window cancellation, please contact NetSuite Customer Support.
Thank you,
The Oracle NetSuite Team

We've been SHA256 since February.

We were showing successful logins using SHA256, but 500 errors returning with the following response

<HTML><HEAD>
<TITLE>Internal Server Error</TITLE>
</HEAD><BODY>
<H1>Internal Server Error - Read</H1>
The server encountered an internal error or misconfiguration and was unable to
complete your request.<P>
Reference&#32;&#35;3&#46;566019b8&#46;1624378195&#46;b8842c
</BODY></HTML>

Never have seen that prior to their test, and went away as soon as they ended it. And not all api calls returned that error, even subsequent calls of the same api call would have mixed responses of success and this error being returned

Yeah the 500 errors were something I was seeing as well. I reviewed the snippet provided earlier, and my code is the same except instead "signature_method=oauth1.SIGNATURE_HMAC_SHA256" in the call mine just says signature_method="HMAC-SHA256" Hoping they find and fix whatever anomalies happened, but I'll be updating my code and looking out for their rescheduled test..

NetSuite support is currently saying that my case is the ONLY case they have where the vendor says they have updated to SHA256 and the customer felt pain during the testing window. Open cases, I don't have enough ammunition to get them to investigate this.

This is why things should be tested in non-production first. Even if NS thinks all they are doing is disabling SHA1 support, they could be introducing regressions alongside whatever change they have made. Testing is important, and I highly disagree with having a production test window without first providing the opportunity to fully test this in a sandbox.

If anybody does open a case, PM me and we can share case numbers to them. United together

FYI -- https://netsuiteprofessionals.com/question/inconsistant-invalid_login_attempt-after-change-hmac-sha1-to-hmac-sha256/ @David A. Lindmeir This was kind of similar to what I was experiencing that day

Some of our accounts already have SHA1 disabled. Which proves our product has been updated. Some of your customers probably already have SHA1 disabled too if you updated to SHA256 early enough.

Hi David,

If the account is not using HMAC-SHA1 traffic at a certain period before 2021.1 release, this signature will be automatically disabled.

In line with the PFCN we sent, 2021.1 upgrade will no longer allow HMAC-SHA1. However, there were exceptions for the accounts where the Product has detected the usage of HMAC-SHA1 signature two months before 2021.1 upgrade. 

Let me know if you have questions.

Regards,

We are in the process of doing heavy testing on that account to see if we can reproduce the issues we saw during the test window. I believe NetSuite introduced some sort of bug that cause their system resources to struggle during the testing window that caused their webserver to not be able to serve requests. If that's true, all we can do is have all our customers open support cases when they have problems during the next test window. It isn't ideal, we are doing all the diligence we can at this point. NetSuite Support said that is all that can be done.

Interesting, good to know. Thanks