Results 1 to 5 of 5
  1. #1
    Join Date
    Jan 2004
    Posts
    66,407
    Blog Entries
    7
    Plugin Contributions
    81

    Default Important announcement about POODLE and payment security

    Due to the recent POODLE vulnerability discovery, payment processors (such as PayPal and Authorize.net etc) have begun disallowing the use of (the industry standard version of) SSL v3, which has triggered problems during checkout:

    Symptom:
    You may receive an error during checkout, like:
    - An error occurred when we tried to contact the payment processor. Please try again, select an alternate payment method, or contact the store owner for assistance.
    - (35) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number"
    - (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
    - (35) error:14094410:SSL routines:func(148):reason(1040)
    - (35) SSL connect error
    - 35 Connect error

    VERSIONS AFFECTED:
    - v1.3.8a - only the linkpoint_api module (but if you're using v1.3.8/v1.3.8a or older then you REALLY need to upgrade for additional security reasons)
    - v1.3.9 - all the files listed below
    - v1.5.0-v1.5.3 - all the files listed below


    Simplest solution:
    ZEN CART v1.5.4 ALREADY CONTAINS THESE FIXES!
    YOU SHOULD UPGRADE NOW!





    Background:
    In years past, it was important to tell PHP to bypass its default of using SSLv2 for communications, and so we specified SSLv3 instead. But SSLv3 has been superceded by TLS 1.0 and 1.1 and 1.2 since then, and modern versions of PHP 5 and libcurl can actually auto-negotiate the best level to use as long as no SSL version is specified. (described a little bit further here)
    So with the recent discovery of a vulnerability in SSL v3, it is better to change your Zen Cart code to auto-negotiate, by NOT specifying any SSL version.

    Fix:
    To change your Zen Cart site to use auto-negotiation of SSL version instead, do the following:

    Search all PHP files for "CURLOPT_SSLVERSION", and you will find it typically appears like this (a list of known files is included below):
    Code:
      curl_setopt($ch, CURLOPT_SSLVERSION, 3);
    Simply comment-out the line, like this:
    Code:
      //  curl_setopt($ch, CURLOPT_SSLVERSION, 3);
    (NOTE: In the case of paypal_curl.php, the code looks like the following, which is similar but written differently for other reasons. Just add the // to the beginning of the line, as shown here:)
    Code:
     //     CURLOPT_SSLVERSION => 3,

    Affected files:
    /includes/modules/payment/paypal/paypal_curl.php around line 58
    /includes/modules/payment/authorizenet_aim.php around line 600
    /includes/modules/payment/authorizenet_echeck.php around line 589
    /includes/modules/payment/paypaldp.php around line 2342 (not necessary in all versions, but if it's present, comment it out)
    /includes/modules/payment/linkpoint_api/class.linkpoint_api.php around line 309

    (Line numbers may differ depending on what Zen Cart version you're using)

    You may have additional files affected ... ie: other payment modules you've added which may be using CURL to connect using SSL v3, in which case similar edits can be made.


    Shipping modules
    If you have shipping modules (like USPS or UPSXML or FEDEX, etc) or other code that connects over SSL, commenting-out the CURLOPT_SSLVERSION setting should suffice. If doing that results errors or connection problems, contact the maintainer of the module for further assistance.



    Technical explanation:
    Commenting-out the CURLOPT_SSLVERSION line will cause PHP to negotiate the best possible SSL/TLS version supported by the destination server.
    There are some sites out there advocating setting the value to 1, but our initial testing suggests that simply forces the same auto-negotiation since 1 is an invalid option.
    Other sites are suggesting setting it to 4 or 6 (or use equivalent PHP constants CURL_SSLVERSION_TLSv1_0 or CURL_SSLVERSION_TLSv1_2, but those PHP constants are not available in all versions of PHP). While these are possible, they are potentially more restrictive than necessary given what we know at this time. Even the PHP documentation recommends autonegotiation instead of specifying an SSL/TLS version
    As of Oct 20, PayPal has agreed that while their own docs advocate setting the value to 4, commenting it out (ie: NOT specifying any CURLOPT_SSLVERSION) is perfectly acceptable at this time.
    The same solution has been tested with Authorize.net, and works fine.
    Last edited by DrByte; 20 Oct 2014 at 05:54 PM. Reason: revised earlier to update advice regarding commenting-out instead of using a specified version
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  2. #2
    Join Date
    Jan 2004
    Posts
    66,407
    Blog Entries
    7
    Plugin Contributions
    81

    Default Re: Important announcement about POODLE and payment security

    Update: PayPal will soon be returning to completely disallowing SSLv3 on their production servers.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  3. #3
    Join Date
    Jan 2004
    Posts
    66,407
    Blog Entries
    7
    Plugin Contributions
    81

    Default Re: Important announcement about POODLE and payment security

    FYI - Authorize.net has announced their plans to disable connections via SSLv3 as of November 4, 2014

    So, if you haven't already made the modifications described earlier in this thread, now is the time to do so.
    The solution posted above will allow Authorize.net to work correctly again.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  4. #4
    Join Date
    Jan 2004
    Posts
    66,407
    Blog Entries
    7
    Plugin Contributions
    81

    Default Re: Important announcement about POODLE and payment security

    Update: PayPal has officially announced that they will discontinue support for SSL 3.0 on Wednesday, December 3, 2014
    Update: PayPal changed the date again: It will now be January 12, 2015.

    To ensure your site remains operational, simply make the changes to files as described in post #1 of this discussion thread.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

  5. #5
    Join Date
    Jan 2004
    Posts
    66,407
    Blog Entries
    7
    Plugin Contributions
    81

    Default Zen Cart v1.5.4 Contains all the POODLE fixes

    NOTE: Zen Cart v1.5.4 already contains all the POODLE fixes for SSLv3 in all the built-in core payment/shipping modules.

    If you haven't upgraded, now is a good time.
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 

Similar Threads

  1. v139b Security Issue Regarding Poodle
    By strugglingnovice in forum General Questions
    Replies: 2
    Last Post: 30 Oct 2014, 11:23 PM
  2. Re: Important announcement about POODLE and payment security
    By shags38 in forum General Questions
    Replies: 1
    Last Post: 20 Oct 2014, 04:46 AM
  3. July 2008 Security Announcement
    By wilt in forum Zen Cart Release Announcements
    Replies: 1
    Last Post: 12 Jul 2008, 11:31 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg
Zen-Cart, Internet Selling Services, Klamath Falls, OR