Jump to content

PayPal SSL 3 issues?


Guest

Recommended Posts

 

Immediate action required.

 

 

On 14 October 2014, details were released about a vulnerability to version 3 of Secure Sockets Layer (SSL 3.0). Since that time, PayPal has been hard at work to mitigate any potential impact to our consumers and merchant customers.

To help mitigate risk associated with this vulnerability, PayPal will discontinue support for SSL 3.0 on 3 December 2104 at 8:01 a.m. Greenwich Mean Time. Unfortunately, this necessary step may cause compatibility problems resulting in the inability for customers to pay with PayPal on your site or other processing issues.

We wouldn’t have been able to extend our support of SSL 3.0 to 3 December 2014, at 8:01 a.m. GMT if we hadn’t also been able to take significant steps to migrate the risk of this vulnerability for our customers. We want to assure our customers we have seen no evidence that the SSL 3.0 issue has led to any compromise of security at PayPal.

Keeping our customers’ accounts, data and money secure is PayPal’s top priority and a guiding principle when we make challenging decisions, like this one.

We’re here to help our merchants through this process. We’ve put together a comprehensive Merchant Response Guide to ensure systems are secure from this vulnerability.

What do I need to do?

If you don’t manage website integrations for your business, we strongly encourage you to work with your website service partner (developer, hosting company or e-commerce platform, etc.) and share the Merchant Response Guide, which provides the basic guidelines on how to update to Transport Layer Security (TLS). If your website service has questions or need support, advise them to contact our Merchant Technical Support.

Thank you for your prompt attention to move this issue and understanding of our approach. Though we recognise this necessary step may cause compatibility issues, we can’t stress enough that this short-term inconvenience is heavily outweighed by our joint promise to our respective customers that we will keep their accounts and financial details safe. We plan to keep our customers up to date on how we are addressing this issue via the appropriate channels, including PayPal Forward, our Twitter handle, Customer Service and for merchants, through our Merchant Services team. We appreciate your patience and understanding as we work around the clock to better serve you and keep you and our consumers safe.

 

Just received the above message from PayPal

 

Can anyone tell me if there is anything we as merchants using Prestashop and the latest PayPal module if there is anything we need to do?

 
Link to comment
Share on other sites

My client has received this email, i believe Prestahop team will reply asap.

I believe PS will reply on Dec 5th when things stop working and enough people complain. 

 

Only moderators are reading these, so hope one of them will be able to get the correct attention

  • Like 1
Link to comment
Share on other sites

Hi all,

 

Since the SSL v3 issue (also known as POODLE) was identified on October 14, PayPal has been hard at work to mitigate any potential impact to our customers and has thus decided to completely disable SSL 3.0 support on December 3, 2104 at 12:01 a.m. Pacific Standard Time.

 

 

POODLE is an internet security vulnerability that impacts the Secure Sockets Layer (SSL) 3.0 protocol, which was designed to ensure secure connections when surfing on the Internet.

 

As a consequence all PayPal merchant customers using PrestaShop will need to update their PayPal integration by upgrading their PayPal module on PrestaShop before December 3rd, 2014 in order to disable SSL 3.0 for their client interactions.

 

This update will be available on Tuesday November 18th, 2014 on Addons (version 3.8.0 to come). Please make sure to upgrade your module on the latest version once available.

 

Thank you for your prompt attention to this issue and understanding of our approach.

Link to comment
Share on other sites

The PrestaShop Paypal module we have solved, as long as the _connectByCURLfunction of the CURL parameters of CURLOPT_SSLVERSION update Paypalpaypal_connect.php file for the CURL_SSLVERSION_TLSv1 can be upgraded, but the premise is the server must support CURL.


I hope you can help.


Link to comment
Share on other sites

 

The PrestaShop Paypal module we have solved, as long as the _connectByCURLfunction of the CURL parameters of CURLOPT_SSLVERSION update Paypalpaypal_connect.php file for the CURL_SSLVERSION_TLSv1 can be upgraded, but the premise is the server must support CURL.

I hope you can help.

 

 

Hi alls,

we use an old version of Prestashop 1.4.4.1 with Paypal Module 2.8.4.

In this case the CURLOPT_SSLVERSION don't exit, do ou think the module will be ok? Or we need to change the source?

Adding CURL_SSLVERSION_TLSv1 line wil be transfer data with TLS or it will be necessary to ugrade CULR version?

 

Many thanks

Link to comment
Share on other sites

Hi alls,

we use an old version of Prestashop 1.4.4.1 with Paypal Module 2.8.4.

In this case the CURLOPT_SSLVERSION don't exit, do ou think the module will be ok? Or we need to change the source?

Adding CURL_SSLVERSION_TLSv1 line wil be transfer data with TLS or it will be necessary to ugrade CULR version?

 

Many thanks

you need to change it through the code, inside the module of Paypal, you need to edit the file paypalconnect.php wixh is inside the folder api of paypal module, editing the file or changing the file for the new one.

Link to comment
Share on other sites

you need to change it through the code, inside the module of Paypal, you need to edit the file paypalconnect.php wixh is inside the folder api of paypal module, editing the file or changing the file for the new one.

I've just checked out the paypal module for 1.4 in 1 customer that I got, you'll need to change it throught code because replacing will not work, the code is different, better change it by code because I've tried to update it as Paypal recommends, uploading the new module, and in my case it did'nt work, instead it messed up all the paypal configuration page, so I had to upload back the old version.

Link to comment
Share on other sites

Somewhere I understood reading here http://www.prestashop.com/forums/topic/380185-paypal-modification-ssl-v3-to-tls/ we should have theese kind of situation depending on the version of paypal module:
 
- paypal version <= 2.8.6
   - if server use CURL or FSOCK: no need to change anyting
 
- 2.8.7 <= paypal version < 3.0.9
   - if server use CURL: change in file modules/paypal/api/paypalconnect.php in function _connectByCURL($url, $body) the line @curl_setopt($ch, CURLOPT_SSLVERSION, 3); with this one @curl_setopt($ch, CURLOPT_SSLVERSION, defined(CURL_SSLVERSION_TLSv1) ? CURL_SSLVERSION_TLSv1 : 1);

- 3.0.9 <= paypal version <= 3.7.X
   - if server use CURL: change in file modules/paypal/api/paypal_connect.php in function _connectByCURL($url, $body) the line @curl_setopt($ch, CURLOPT_SSLVERSION, 3); with this one @curl_setopt($ch, CURLOPT_SSLVERSION, defined(CURL_SSLVERSION_TLSv1) ? CURL_SSLVERSION_TLSv1 : 1);

  

Edited by Sentenza (see edit history)
  • Like 1
Link to comment
Share on other sites

Hi all,

 

Since the SSL v3 issue (also known as POODLE) was identified on October 14, PayPal has been hard at work to mitigate any potential impact to our customers and has thus decided to completely disable SSL 3.0 support on December 3, 2104 at 12:01 a.m. Pacific Standard Time.

 

 

POODLE is an internet security vulnerability that impacts the Secure Sockets Layer (SSL) 3.0 protocol, which was designed to ensure secure connections when surfing on the Internet.

 

As a consequence all PayPal merchant customers using PrestaShop will need to update their PayPal integration by upgrading their PayPal module on PrestaShop before December 3rd, 2014 in order to disable SSL 3.0 for their client interactions.

 

This update will be available on Tuesday November 18th, 2014 on Addons (version 3.8.0 to come). Please make sure to upgrade your module on the latest version once available.

 

Thank you for your prompt attention to this issue and understanding of our approach.

 

My question is : We only need to upgrade/replace Paypal module or we also need to update server configuration ?

Link to comment
Share on other sites

Hi all, 

 

I've just downloaded the new version of the PayPal module from this link http://addons.prestashop.com/fr/modules-paiement-prestashop/1748-paypal.html (French Addons site) which calls it the PayPal Europe - Offical module. and then uploaded the zip file to my prestashop sites, using the install new module method, (purely because the Update It link did not show).

 

All is good and payments work with my UK websites.

 

It would be nice if the developer updated their description to show it's for the UK as well.

 

Now... who wants to tell the Addons site owners that Addons is missing a bunch of filters and the search function doesn't work?

  • Like 1
Link to comment
Share on other sites

Somewhere I understood reading here http://www.prestashop.com/forums/topic/380185-paypal-modification-ssl-v3-to-tls/ we should have theese kind of situation depending on the version of paypal module:

 

[...]

Thanks so much for this, Sentenza - implemented and tested, seems to work just as well as it did before. Hopefully it continues working come 3rd December, or I'll be in Dubai having too much of a good time to notice. =D

Link to comment
Share on other sites

Nick Lappage says "I've just downloaded the new version of the PayPal module from this link http://addons.presta...748-paypal.html (French Addons site) which calls it the PayPal Europe"

 

I am using Prestashop 1.4.11.0  and PayPal module 3.5.4.   Are you saying that updating to the new module mentioned deals with the issues around PayPal's discontinuation of support for SSL 3.0  ?

 

Your advice will be much appreciated.

 

 

Link to comment
Share on other sites

Hi Guys, 

I am still getting errors after update (not permanent, usually works for few hours, but then still throws error), from time when SSL changed to TLS:

PayPal response:
-> 
Making new connection to 'api-3t.paypal.com/nvp'
Connect with CURL method successful
Sending this params:
METHOD=SetExpressCheckout&VERSION=106&PWD=*********&USER=my.mail_api1.gmail.com&SIGNATURE=*********&CANCELURL=http%3A%2F%2Fmb-themes.com%2Fhome%2F14-osclass-anti-spam-plugin.html%3Fpaypal_ec_canceled%3D1%26&RETURNURL=http%3A%2F%2Fmb-themes.com%2Fmodules%2Fpaypal%2Fexpress_checkout%2Fpayment.php&NOSHIPPING=0&BUTTONSOURCE=PRESTASHOP_EC&L_PAYMENTREQUEST_0_NUMBER0=14&L_PAYMENTREQUEST_0_NAME0=Spam+Solution+Plugin&L_PAYMENTREQUEST_0_DESC0=Are+you+bother+from+spam%C2%A0on+your+classifieds%3FLet+S...&L_PAYMENTREQUEST_0_AMT0=27.5&L_PAYMENTREQUEST_0_QTY0=1&PAYMENTREQUEST_0_PAYMENTACTION=Sale&PAYMENTREQUEST_0_CURRENCYCODE=EUR&PAYMENTREQUEST_0_SHIPPINGAMT=0.00&PAYMENTREQUEST_0_ITEMAMT=27.5&PAYMENTREQUEST_0_AMT=27.50&SOLUTIONTYPE=Sole&LANDINGPAGE=Login&USER=my.mail_api1.gmail.com&PWD=*********&SIGNATURE=*********
Send with CURL method failed ! Error: Couldn't resolve host 'api-3t.paypal.com'
Connect failed with fsockopen method

Has anyone idea what could be problem?

tested 1.6.0.9 prestasthop and PayPal Europe v3.8.1

 

//Edit: Problem was solved by my hosting company, there was issue with DNS and cache.

Edited by frosticek (see edit history)
Link to comment
Share on other sites

I am using prestashop version 1.3.1.1 with paypal module 1.6 and paypalAPI 1.0. Can someone please help me since paypal 3.8 is not compatible with version 1.3.1.1? I can't upgrade my site right now as the christmas shopping is here and I don't want to have any downtime. Can the codes be changed somewhere, may be in a paypal file?

Link to comment
Share on other sites

I am using prestashop version 1.3.1.1 with paypal module 1.6 and paypalAPI 1.0. Can someone please help me since paypal 3.8 is not compatible with version 1.3.1.1? I can't upgrade my site right now as the christmas shopping is here and I don't want to have any downtime. Can the codes be changed somewhere, may be in a paypal file?

See here: http://nemops.com/prestashop-paypal-modules-will-stop-working/#.VHhITjGjOr0

Locate that string mentioning ssl. If you don't have it, you should not be affected

Link to comment
Share on other sites

Hi all, 

 

I've just downloaded the new version of the PayPal module from this link http://addons.prestashop.com/fr/modules-paiement-prestashop/1748-paypal.html (French Addons site) which calls it the PayPal Europe - Offical module. and then uploaded the zip file to my prestashop sites, using the install new module method, (purely because the Update It link did not show).

 

All is good and payments work with my UK websites.

 

It would be nice if the developer updated their description to show it's for the UK as well.

 

Now... who wants to tell the Addons site owners that Addons is missing a bunch of filters and the search function doesn't work?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...