SSL problems with my GoDaddy server

[ibuttons]

PLEASE HELP! EXTREMELY URGENT!!!! CAN'T PROCESS ORDERS!

I made the changes described a few months ago in the post Important announcement about POODLE and payment security, but even with that, my website broke today - no one can checkout . When using either PayPal Pro or PayPal Express, my customers now get a message that mentions:

(35) SSL connect error

I called PayPal just now and they told me that as of today, they no longer ANY accept SSLv3 at all. There was one SSL version left that they did accept until today, but that has now been turned off. They said they have been getting calls in from ZenCart users, so it is not just me. Looks like even though I commented out the code as per the post Important announcement about POODLE and payment security and therefore thought I was allowing auto-negotiation, I must still have been using a version of SSL. PayPal told me that from now on, we have to use TLS, not SSL.

So can someone please tell us how (and where) to either:

1) Hardcode TLS as the communication protocol using CURL_SSLVERSION_TLSv1_0 or
2) Set the CURL_SSLVERSION_DEFAULT

My ZC store is 1.5.1, PHP Version 5.3, Operating System LINUX, my host is GoDaddy.

...if you have a specific reason for not trusting auto-negotiate (ie: you can't properly secure your server) then you can hard-code CURL_SSLVERSION_TLSv1_0 if your PHP version supports it. But if your PHP version is old then your PHP won't know what that means, and that'll stuff it back into autonegotiate mode or something worse like throwing errors that cause payments to totally fail.

[Ajeh]

In the News & Annoucements forum is the information sent out in October about this problem:
http://www.zen-cart.com/showthread.p...yment-security

You should also signup for the News & Announcements forum for other updates that could affect you:
http://www.zen-cart.com/forumdisplay...-Announcements

[ibuttons]

Linda,

Thanks.

I was aware of that posting and I did follow the instructions to make the changes mentioned several months ago. These changes did not prevent the problem I am having now.

Could someone please take a look at what I described is going on and get back to me?

tia

In the News & Annoucements forum is the information sent out in October about this problem:
http://www.zen-cart.com/showthread.p...yment-security

You should also signup for the News & Announcements forum for other updates that could affect you:
http://www.zen-cart.com/forumdisplay...-Announcements

[lhungil]

Is your "paypal" module configured in "production / live" mode or "sandbox / test"?

Do you have any debug logs? PayPal error logs / emails?

Be aware if if your hosting provider has an old version of curl installed on their server, it may not support TLS 1.0+. Please provide (place inside [code][/code] - code tags) the output of phpinfo (can also be found in the Zen Cart "admin" -> "version").

It may also be a good idea to run "curl_tester" from Zen Cart (preferably 1.5.4) extras folder. The output / log from "curl_tester" may provide some insight.

[DrByte]

PLEASE HELP! EXTREMELY URGENT!!!! CAN'T PROCESS ORDERS!

I made the changes described a few months ago in the post Important announcement about POODLE and payment security,

Apparently whatever you did wasn't correct, or didn't get uploaded to your server correctly, or someone with access to your server put the old file back.

Use your FTP program and navigate to your server's /includes/modules/payment/paypal/paypal_curl.php file, and copy it to your PC, and post it here.
I imagine in the first 40 lines we'll see that it's still making SSL3 calls, which completely explains the symptoms you posted about today.

[ibuttons]

Thank you so much for the reply, lhungil. I am at wit's end, as you might guess.

Here are my responses to your suggestions:

1. Is your "paypal" module configured in "production / live" mode or "sandbox / test"?
PayPal Payments Pro (USA): Live
PayPal Express Checkout: Live

2) Do you have any debug logs?
If you mean files in the /log folder, no, there no new myDEBUG files there. The most recent one was on 12/26/2014 and has nothing to do with payments. Also, many orders have been successfully processed since then as the problem just started today. Also, PayPal tech support told me on the phone earlier today was the day that they disabled the last SSL version which is the only change I am aware of in the last few months other than unrelated day-to-day things like the titles of products, their attributes and prices.

3) PayPal error logs / emails?
Yes, I have email messages. Each time a customer tries to submit their order it fails and shows the message "(35) SSL connect error" on the screen, and at the same time, an email is sent to the store owner. Here is a typical excerpt from this email:

(35) SSL connect error
Zen Cart message: [] - (35) SSL connect error
Problem occurred while customer 4130 Sean was attempting checkout with
PayPal Website Payments Pro.
Transaction Response Details: Array ...

4) TLS 1.0+?
My hosting provider is GoDaddy and they told me that my server supports TLS 1.0+.

5) phpinfo
Here is some of the output of phpinfo (found in the Zen Cart "admin" -> "version"). Is this enough for now?

Code:

Server Information
Server Host: p3nlhg1435.shr.prod.phx3.secureserver.net (50.63.194.163)       
Database Host: KELzc151.db.10680094.hostedresource.com (50.63.238.188)
Server OS: Linux 2.6.32-531.1.2.lve1.2.54.el6.nfsfixes.x86_64    	
Database: MySQL 5.0.96-log
Server Date: 01/12/2015-Mon at 22:16:16   	
Database Date: 01/12/2015-Mon at 22:16:16
Server Up Time: 22:16:16 up 5 days, 20:21, 0 users, load average: 6.93, 6.33, 6.22 	
HTTP Server: Apache
PHP Version: 5.3.24 (Zend: 2.3.0)   
PHP Memory Limit: 64M 	PHP 
Safe Mode: Off
PHP File Uploads: On    
Max Size: 32M 	
POST Max Size: 33M
Database Data Size: 68,137 kB 	
Database Index Size: 5,298 kB
Zen Cart
Zen Cart 1.5.1
Database Patch Level: 1.5.1
v1.5.1   [2013-02-03 04:45:28]   (Version Update 1.5.0->1.5.1)
v1.5.0   [2013-02-03 04:45:28]   (Version Update 1.3.9->1.5.0)
v1.3.9b   [2010-05-29 17:26:32]   (Fresh Installation)

6) curl_tester
Can you send me a link to an article or tell me how to run "curl_tester" from Zen Cart that you mentioned?

[lhungil]

First I would recommend posting the file(s) requested by Dr Byte. This will help ensure we are all on the same page.

Those appears to be older (beyond EOL) versions of PHP and MySQL. I also typically recommend a higher Memory Limit. Not the issue at hand, but would recommend having those updated in the near future...

What version of cURL is reported by phpinfo? Other information from phpinfo (useful for anyone attempting to duplicate the issue)?

First upload the additional files found in the official Zen Cart distribution (on this site) in the "extras" folder to your webserver. Then visit "www.your_site.com/extras/curltester.php". This will run some communication tests using your hosting provider's server environment. More information and details on curltester.php can be found via a search.

[DrByte]

For a TEMPORARY quick-fix, go to the zen-cart.com home page, click on the Download Zen Cart link. That will currently give you ZC v1.5.4

Copy the /includes/modules/payment/paypal/paypal_curl.php file to your server, replacing yours. I just did a test transaction on a (test) v1.5.1 site and it appears to work fine.

Then work on preparing a full upgrade to your site.

[ibuttons]

First of all, thank you lhungil and DrByte and for replying to my post. Without your responses, the world would seem a much colder, lonelier place.

Next, I have fixed the problem and have been successfully processing orders for a few days now. Now that the dust has settled and I am sure of what happened, I want to share it with the rest of the world in case someone else runs into this.

The problem was that my site was being hosted on a server at GoDaddy that did not support anything BUT SSL. So even though I put in all the changes recommended by Dr Byte back in the fall, all it did was allow ZC to negotiate with PayPal to select the best AVAILABLE protocol.

So, as long as PayPal supported at least one version of SSL, all was fine. But on Jan 12, PayPal disabled support for the last SSL version. Hence my site broke. No helpful error messages from ZC on what was causing the problem. No tech support from GoDaddy whatsoever. PayPal tech support was concerned but only slightly helpful. I read and re-read Dr Byte's description of what the fix did (thank you for that - it saved my ########), and then I made a wild ###### guess that maybe there was no TLS on my server. Luckily, that turned out to be right.

The only solution was to move my site as quickly as possible to a new server that supported TLS. Very painful, especially under pressure and with my site mostly down--well, at least all the SSL pages which turned out to be key. So, first, I turned off SSL on my storefront and removed the PayPal payment modules and left only the one for "Pay by Check or By Phone". Then I added a Checkout note to my customers about POODLE and asked them to call in their payments. Kinda hokey, but amazingly, people actually did that!

But then, I was left with the problem of how to submit the orders to shipping without the admin screens or the email confirmations (which weren't being sent either). I managed to figure out the details by looking at about 4 DB tables for each order. Whew! That gave me a whole new appreciation for the work that ZC does! It took quite a while to process each order, and it was error-prone, but it was doable.

In between orders, I started migrating to a new server, but it did not go smoothly. The new server had an unfamiliar CPANEL interface and a new version of PHP and several other important differences which I discovered one by one. The worst problem was getting an SSL certificate to work. This took about 3 days. GoDaddy tech support claimed it was set up correctly on their end, but it was not. Once GoDaddy saw I was using ZC, they basically they told me to go pound salt, since ZC is a 3rd party software app which they don't support and therefore it must be the problem.

In the end, there was a setting that I needed in the CPANEL which had been overlooked. GoDaddy tech support should have spotted it, but they were so busy pointing fingers at ZC that they did not bother to even check. I finally convinced them to take a look at the settings by putting a stupid jpg image one level up above my ZC code. When displayed with http://___.jpg all was fine, but with https://___.jpg it was broken. Since no ZC code was anywhere nearby, they finally were convinced that their SSL certificate was not set up right and then fixed the problem in about 2 minutes. So basically my site was down for 3 days due to bad GoDaddy tech support.

Once my site was up and running with TLS on the new server, I then had to change the way I send email (I now use SMTPAUTH instead of sendmail) and reinstall one of my PayPal payment modules. And Order Time is not being displayed correctly in the admin section -- it thinks we are on GMT. I tried to put in some extra configuration files which I found on the forum, but they broke my site, so I am living with it for now. Any suggestions on something that will work for 1.5.1 would be appreciated.

And lastly (this is not yet fixed) I am getting PayPal Instant Payment Notification Warnings occasionally like this:

Code:

Please check your server that handles PayPal Instant Payment Notifications (IPN). IPNs sent to the following URL(s) are failing:
http://keylessentrylocks.com/ipn_main_handler.php
https://keylessentrylocks.com/ipn_main_handler.php

This seems to have the effect of occasionally not updating the order status on my site after checkout. I'll call PayPal Tech Support about this one, but if it is familiar to anyone out there. please let me know.

Oh, one more thing is still wrong on the new site. I get an error message after I sign up a new customer. It only happens intermittently and their account is still created and their order goes through fine, so it is not a critical problem at the moment. But I would still like it fixed. If you have any ideas about that, plz let me know. Since these last 2 items are intermittent, I am thinking it might be related to a server resource instead of a code issue.

Hope that made sense.

Thanks again, guys!

[DrByte]

So basically my site was down for 3 days due to bad GoDaddy tech support.

Don't be afraid to demand compensation from them.

Order Time is not being displayed correctly in the admin section -- it thinks we are on GMT. I tried to put in some extra configuration files which I found on the forum, but they broke my site, so I am living with it for now. Any suggestions on something that will work for 1.5.1 would be appreciated.

I suggest installing these files, from the v1.5.4 zip:
/includes/extra_configures/set_time_zone.php -- and set the TZ in the top half of that file to your desired timezone
/admin/includes/extra_configures/use_catalog_time_zone.php -- no edits required to this file, since all it does is tell the admin to use the storefront file ;)
Doing that shouldn't cause any errors, but if it does, post the errors from the logs it creates ( to see the logs, read: http://www.zen-cart.com/content.php?124 )

And lastly (this is not yet fixed) I am getting PayPal Instant Payment Notification Warnings occasionally like this:

Code:

Please check your server that handles PayPal Instant Payment Notifications (IPN). IPNs sent to the following URL(s) are failing:
http://keylessentrylocks.com/ipn_main_handler.php
https://keylessentrylocks.com/ipn_main_handler.php

This seems to have the effect of occasionally not updating the order status on my site after checkout.

Yes, that's the side-effect it will have, and if you don't fix it Paypal will eventually turn off notifying your store of changes.
Are there any debug logs related to the ipn handler? On v1.5.1 you'll want to look in both the /cache/ folder and the /includes/modules/payment/paypal/logs folder. You might need to turn debug logging on for it to record them. When it's processing IPNs it logs every step it takes to talk back to PayPal for acknowledgement, in order to evaluate failures.

I get an error message after I sign up a new customer. It only happens intermittently

Can't offer help if we don't know what the error message is ;)