Due to the recent POODLE vulnerability discovery, payment processors (such as PayPal and Authorize.net etc) have begun disallowing the use of (the industry standard version of) SSL v3, which has triggered problems during checkout:
Symptom:
You may receive an error during checkout, like:
- An error occurred when we tried to contact the payment processor. Please try again, select an alternate payment method, or contact the store owner for assistance.
- (35) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number"
- (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
- (35) error:14094410:SSL routines:func(148):reason(1040)
- (35) SSL connect error
- 35 Connect error
VERSIONS AFFECTED:
- v1.3.8a - only the linkpoint_api module (but if you're using v1.3.8/v1.3.8a or older then you REALLY need to upgrade for additional security reasons)
- v1.3.9 - all the files listed below
- v1.5.0-v1.5.3 - all the files listed below
Simplest solution:
ZEN CART v1.5.4 ALREADY CONTAINS THESE FIXES!
YOU SHOULD UPGRADE NOW!
Background:
In years past, it was important to tell PHP to bypass its default of using SSLv2 for communications, and so we specified SSLv3 instead. But SSLv3 has been superceded by TLS 1.0 and 1.1 and 1.2 since then, and modern versions of PHP 5 and libcurl can actually auto-negotiate the best level to use as long as no SSL version is specified. (described a little bit further here)
So with the recent discovery of a vulnerability in SSL v3, it is better to change your Zen Cart code to auto-negotiate, by NOT specifying any SSL version.
Fix:
To change your Zen Cart site to use auto-negotiation of SSL version instead, do the following:
Search all PHP files for "CURLOPT_SSLVERSION", and you will find it typically appears like this (a list of known files is included below):
Code:
curl_setopt($ch, CURLOPT_SSLVERSION, 3);
Simply comment-out the line, like this:
Code:
// curl_setopt($ch, CURLOPT_SSLVERSION, 3);
(NOTE: In the case of paypal_curl.php, the code looks like the following, which is similar but written differently for other reasons. Just add the // to the beginning of the line, as shown here:)
Code:
// CURLOPT_SSLVERSION => 3,
Affected files:
/includes/modules/payment/paypal/paypal_curl.php around line 58
/includes/modules/payment/authorizenet_aim.php around line 600
/includes/modules/payment/authorizenet_echeck.php around line 589
/includes/modules/payment/paypaldp.php around line 2342 (not necessary in all versions, but if it's present, comment it out)
/includes/modules/payment/linkpoint_api/class.linkpoint_api.php around line 309
(Line numbers may differ depending on what Zen Cart version you're using)
You may have additional files affected ... ie: other payment modules you've added which may be using CURL to connect using SSL v3, in which case similar edits can be made.
Shipping modules
If you have shipping modules (like USPS or UPSXML or FEDEX, etc) or other code that connects over SSL, commenting-out the CURLOPT_SSLVERSION setting should suffice. If doing that results errors or connection problems, contact the maintainer of the module for further assistance.
Technical explanation:
Commenting-out the CURLOPT_SSLVERSION line will cause PHP to negotiate the best possible SSL/TLS version supported by the destination server.
There are some sites out there advocating setting the value to 1, but our initial testing suggests that simply forces the same auto-negotiation since 1 is an invalid option.
Other sites are suggesting setting it to 4 or 6 (or use equivalent PHP constants CURL_SSLVERSION_TLSv1_0 or CURL_SSLVERSION_TLSv1_2, but those PHP constants are not available in all versions of PHP). While these are possible, they are potentially more restrictive than necessary given what we know at this time. Even the PHP documentation recommends autonegotiation instead of specifying an SSL/TLS version
As of Oct 20, PayPal has agreed that while their own docs advocate setting the value to 4, commenting it out (ie: NOT specifying any CURLOPT_SSLVERSION) is perfectly acceptable at this time.
The same solution has been tested with Authorize.net, and works fine.
Bookmarks