PayPal SSL 3 issues?

[Guest]

 

Immediate action required.

 

 

On 14 October 2014, details were released about a vulnerability to version 3 of Secure Sockets Layer (SSL 3.0). Since that time, PayPal has been hard at work to mitigate any potential impact to our consumers and merchant customers.

To help mitigate risk associated with this vulnerability, PayPal will discontinue support for SSL 3.0 on 3 December 2104 at 8:01 a.m. Greenwich Mean Time. Unfortunately, this necessary step may cause compatibility problems resulting in the inability for customers to pay with PayPal on your site or other processing issues.

We wouldn’t have been able to extend our support of SSL 3.0 to 3 December 2014, at 8:01 a.m. GMT if we hadn’t also been able to take significant steps to migrate the risk of this vulnerability for our customers. We want to assure our customers we have seen no evidence that the SSL 3.0 issue has led to any compromise of security at PayPal.

Keeping our customers’ accounts, data and money secure is PayPal’s top priority and a guiding principle when we make challenging decisions, like this one.

We’re here to help our merchants through this process. We’ve put together a comprehensive Merchant Response Guide to ensure systems are secure from this vulnerability.

What do I need to do?

If you don’t manage website integrations for your business, we strongly encourage you to work with your website service partner (developer, hosting company or e-commerce platform, etc.) and share the Merchant Response Guide, which provides the basic guidelines on how to update to Transport Layer Security (TLS). If your website service has questions or need support, advise them to contact our Merchant Technical Support.

Thank you for your prompt attention to move this issue and understanding of our approach. Though we recognise this necessary step may cause compatibility issues, we can’t stress enough that this short-term inconvenience is heavily outweighed by our joint promise to our respective customers that we will keep their accounts and financial details safe. We plan to keep our customers up to date on how we are addressing this issue via the appropriate channels, including PayPal Forward, our Twitter handle, Customer Service and for merchants, through our Merchant Services team. We appreciate your patience and understanding as we work around the clock to better serve you and keep you and our consumers safe.

 

Just received the above message from PayPal

 

Can anyone tell me if there is anything we as merchants using Prestashop and the latest PayPal module if there is anything we need to do?

 

[Jimbola]

Just got this as well.

Edited November 11, 2014 by Jimbola (see edit history)

[Tim fewStones]

Subscribing.

[wang yi li]

Whether the PayPal module that PrestaShop needs to be updated, I look at the source code inside or by SSLv3

PayPal in December 4th to stop the SSLv3 server, has an effect on PrestaShop?

Trouble administrator reply as soon as possible under the

[kashifkhan112]

My client has received this email, i believe Prestahop team will reply asap.

[bellini13]

My client has received this email, i believe Prestahop team will reply asap.

I believe PS will reply on Dec 5th when things stop working and enough people complain. 

 

Only moderators are reading these, so hope one of them will be able to get the correct attention

[Guest]

Added to Forge, will see what happens

 

http://forge.prestashop.com/browse/PNM-2995

[202ecommerce]

Hi all,

 

Since the SSL v3 issue (also known as POODLE) was identified on October 14, PayPal has been hard at work to mitigate any potential impact to our customers and has thus decided to completely disable SSL 3.0 support on December 3, 2104 at 12:01 a.m. Pacific Standard Time.

 

 

POODLE is an internet security vulnerability that impacts the Secure Sockets Layer (SSL) 3.0 protocol, which was designed to ensure secure connections when surfing on the Internet.

 

As a consequence all PayPal merchant customers using PrestaShop will need to update their PayPal integration by upgrading their PayPal module on PrestaShop before December 3^rd, 2014 in order to disable SSL 3.0 for their client interactions.

 

This update will be available on Tuesday November 18^th, 2014 on Addons (version 3.8.0 to come). Please make sure to upgrade your module on the latest version once available.

 

Thank you for your prompt attention to this issue and understanding of our approach.

[wang yi li]

The PrestaShop Paypal module we have solved, as long as the _connectByCURLfunction of the CURL parameters of CURLOPT_SSLVERSION update Paypalpaypal_connect.php file for the CURL_SSLVERSION_TLSv1 can be upgraded, but the premise is the server must support CURL.

I hope you can help.

[webnetstudio]

 

The PrestaShop Paypal module we have solved, as long as the _connectByCURLfunction of the CURL parameters of CURLOPT_SSLVERSION update Paypalpaypal_connect.php file for the CURL_SSLVERSION_TLSv1 can be upgraded, but the premise is the server must support CURL.

I hope you can help.

 

 

Hi alls,

we use an old version of Prestashop 1.4.4.1 with Paypal Module 2.8.4.

In this case the CURLOPT_SSLVERSION don't exit, do ou think the module will be ok? Or we need to change the source?

Adding CURL_SSLVERSION_TLSv1 line wil be transfer data with TLS or it will be necessary to ugrade CULR version?

 

Many thanks

[manel10_12]

Hi alls,

we use an old version of Prestashop 1.4.4.1 with Paypal Module 2.8.4.

In this case the CURLOPT_SSLVERSION don't exit, do ou think the module will be ok? Or we need to change the source?

Adding CURL_SSLVERSION_TLSv1 line wil be transfer data with TLS or it will be necessary to ugrade CULR version?

 

Many thanks

you need to change it through the code, inside the module of Paypal, you need to edit the file paypalconnect.php wixh is inside the folder api of paypal module, editing the file or changing the file for the new one.

[manel10_12]

you need to change it through the code, inside the module of Paypal, you need to edit the file paypalconnect.php wixh is inside the folder api of paypal module, editing the file or changing the file for the new one.

I've just checked out the paypal module for 1.4 in 1 customer that I got, you'll need to change it throught code because replacing will not work, the code is different, better change it by code because I've tried to update it as Paypal recommends, uploading the new module, and in my case it did'nt work, instead it messed up all the paypal configuration page, so I had to upload back the old version.

[Sentenza]

Somewhere I understood reading here http://www.prestashop.com/forums/topic/380185-paypal-modification-ssl-v3-to-tls/ we should have theese kind of situation depending on the version of paypal module:
 
- paypal version <= 2.8.6
   - if server use CURL or FSOCK: no need to change anyting
 
- 2.8.7 <= paypal version < 3.0.9
   - if server use CURL: change in file modules/paypal/api/paypalconnect.php in function _connectByCURL($url, $body) the line @curl_setopt($ch, CURLOPT_SSLVERSION, 3); with this one @curl_setopt($ch, CURLOPT_SSLVERSION, defined(CURL_SSLVERSION_TLSv1) ? CURL_SSLVERSION_TLSv1 : 1);

- 3.0.9 <= paypal version <= 3.7.X
   - if server use CURL: change in file modules/paypal/api/paypal_connect.php in function _connectByCURL($url, $body) the line @curl_setopt($ch, CURLOPT_SSLVERSION, 3); with this one @curl_setopt($ch, CURLOPT_SSLVERSION, defined(CURL_SSLVERSION_TLSv1) ? CURL_SSLVERSION_TLSv1 : 1);

  

Edited November 18, 2014 by Sentenza (see edit history)

[Pascal - Netenvie]

Hi all,

 

Since the SSL v3 issue (also known as POODLE) was identified on October 14, PayPal has been hard at work to mitigate any potential impact to our customers and has thus decided to completely disable SSL 3.0 support on December 3, 2104 at 12:01 a.m. Pacific Standard Time.

 

 

POODLE is an internet security vulnerability that impacts the Secure Sockets Layer (SSL) 3.0 protocol, which was designed to ensure secure connections when surfing on the Internet.

 

As a consequence all PayPal merchant customers using PrestaShop will need to update their PayPal integration by upgrading their PayPal module on PrestaShop before December 3^rd, 2014 in order to disable SSL 3.0 for their client interactions.

 

This update will be available on Tuesday November 18^th, 2014 on Addons (version 3.8.0 to come). Please make sure to upgrade your module on the latest version once available.

 

Thank you for your prompt attention to this issue and understanding of our approach.

 

My question is : We only need to upgrade/replace Paypal module or we also need to update server configuration ?

[Nick Lappage]

Hi all, 

 

I've just downloaded the new version of the PayPal module from this link http://addons.prestashop.com/fr/modules-paiement-prestashop/1748-paypal.html (French Addons site) which calls it the PayPal Europe - Offical module. and then uploaded the zip file to my prestashop sites, using the install new module method, (purely because the Update It link did not show).

 

All is good and payments work with my UK websites.

 

It would be nice if the developer updated their description to show it's for the UK as well.

 

Now... who wants to tell the Addons site owners that Addons is missing a bunch of filters and the search function doesn't work?

[rh1n0]

Somewhere I understood reading here http://www.prestashop.com/forums/topic/380185-paypal-modification-ssl-v3-to-tls/ we should have theese kind of situation depending on the version of paypal module:

 

[...]

Thanks so much for this, Sentenza - implemented and tested, seems to work just as well as it did before. Hopefully it continues working come 3rd December, or I'll be in Dubai having too much of a good time to notice. =D

[NemoPS]

Some fixed files, feel free to contribute: http://nemops.com/prestashop-paypal-modules-will-stop-working/#.VGxr6fmjOr0
 

[KevinNash]

Hello Nemo, your fix is different than 202ecommerce one, yo usuggest to delete or comment this line :

@curl_setopt($ch, CURLOPT_SSLVERSION, 3);

202ecommerce suggest to replace it http://www.prestashop.com/forums/topic/380185-paypal-modification-ssl-v3-to-tls/

 

So what is the best and right solution ?

[oginet]

Nick Lappage says "I've just downloaded the new version of the PayPal module from this link http://addons.presta...748-paypal.html (French Addons site) which calls it the PayPal Europe"

 

I am using Prestashop 1.4.11.0  and PayPal module 3.5.4.   Are you saying that updating to the new module mentioned deals with the issues around PayPal's discontinuation of support for SSL 3.0  ?

 

Your advice will be much appreciated.

 

 

[PascalVG]

More detailed info, also for 1.4.x in this thread

http://www.prestashop.com/forums/topic/380185-paypal-modification-ssl-v3-to-tls/

[frosticek]

Hi Guys, 

I am still getting errors after update (not permanent, usually works for few hours, but then still throws error), from time when SSL changed to TLS:

PayPal response:
-> 
Making new connection to 'api-3t.paypal.com/nvp'
Connect with CURL method successful
Sending this params:
METHOD=SetExpressCheckout&VERSION=106&PWD=*********&USER=my.mail_api1.gmail.com&SIGNATURE=*********&CANCELURL=http%3A%2F%2Fmb-themes.com%2Fhome%2F14-osclass-anti-spam-plugin.html%3Fpaypal_ec_canceled%3D1%26&RETURNURL=http%3A%2F%2Fmb-themes.com%2Fmodules%2Fpaypal%2Fexpress_checkout%2Fpayment.php&NOSHIPPING=0&BUTTONSOURCE=PRESTASHOP_EC&L_PAYMENTREQUEST_0_NUMBER0=14&L_PAYMENTREQUEST_0_NAME0=Spam+Solution+Plugin&L_PAYMENTREQUEST_0_DESC0=Are+you+bother+from+spam%C2%A0on+your+classifieds%3FLet+S...&L_PAYMENTREQUEST_0_AMT0=27.5&L_PAYMENTREQUEST_0_QTY0=1&PAYMENTREQUEST_0_PAYMENTACTION=Sale&PAYMENTREQUEST_0_CURRENCYCODE=EUR&PAYMENTREQUEST_0_SHIPPINGAMT=0.00&PAYMENTREQUEST_0_ITEMAMT=27.5&PAYMENTREQUEST_0_AMT=27.50&SOLUTIONTYPE=Sole&LANDINGPAGE=Login&USER=my.mail_api1.gmail.com&PWD=*********&SIGNATURE=*********
Send with CURL method failed ! Error: Couldn't resolve host 'api-3t.paypal.com'
Connect failed with fsockopen method

Has anyone idea what could be problem?

tested 1.6.0.9 prestasthop and PayPal Europe v3.8.1

 

//Edit: Problem was solved by my hosting company, there was issue with DNS and cache.

Edited November 26, 2014 by frosticek (see edit history)

[rajco]

Hey all I have problem

 

Fatal error: Cannot redeclare class PaypalLib in Unknown on line 0

 

wtf it is ???

 

I have prestashop 1.4.8.2 and module PayPal v3.8.1

 

when I klick on confirm order in payment show

Fatal error: Cannot redeclare class PaypalLib in Unknown on line 0

 

any help please

mine web site

 

http://www.gift-hut.co.uk

[hurray]

I am using prestashop version 1.3.1.1 with paypal module 1.6 and paypalAPI 1.0. Can someone please help me since paypal 3.8 is not compatible with version 1.3.1.1? I can't upgrade my site right now as the christmas shopping is here and I don't want to have any downtime. Can the codes be changed somewhere, may be in a paypal file?

[NemoPS]

I am using prestashop version 1.3.1.1 with paypal module 1.6 and paypalAPI 1.0. Can someone please help me since paypal 3.8 is not compatible with version 1.3.1.1? I can't upgrade my site right now as the christmas shopping is here and I don't want to have any downtime. Can the codes be changed somewhere, may be in a paypal file?

See here: http://nemops.com/prestashop-paypal-modules-will-stop-working/#.VHhITjGjOr0

Locate that string mentioning ssl. If you don't have it, you should not be affected

[oginet]

Hi all, 

 

I've just downloaded the new version of the PayPal module from this link http://addons.prestashop.com/fr/modules-paiement-prestashop/1748-paypal.html (French Addons site) which calls it the PayPal Europe - Offical module. and then uploaded the zip file to my prestashop sites, using the install new module method, (purely because the Update It link did not show).

 

All is good and payments work with my UK websites.

 

It would be nice if the developer updated their description to show it's for the UK as well.

 

Now... who wants to tell the Addons site owners that Addons is missing a bunch of filters and the search function doesn't work?

[oginet]

I'm using Prestashop 1.4 and Nick Lappage's solution has done the trick for me - many thanks

[zaglebie]

[deleted]

Edited November 28, 2014 by zaglebie (see edit history)

[KDC Model Cars]

Hi,

 

I'm using PrestaShop 1.4.7.0 and have PayPal module 2.8.6

I downloaded the latest version of PayPal, and tried to upload it in "Modules", but I keep getting the following:

 

"Error occurred while extracting the module (file may be damaged)." (translated from Dutch)

What should I do??

[bellini13]

download it again and ensure it is not corrupt.  are you able to open the zip file?

[KDC Model Cars]

I downloaded a couple of times, no difference. No idea what it means to ensure it is not corrupt...

I can open the file, yes

[oginet]

Did you "open the zip file? " as suggested - this would show a lot of files which have been zipped.

[KDC Model Cars]

When I open the file, there're a lot of " .php" - files.

[NemoPS]

That is correct, at this point try uploading the paypal folder manually via ftp, into /modules/ (make a backup of the current one + database)

[KDC Model Cars]

That is correct, at this point try uploading the paypal folder manually via ftp, into /modules/ (make a backup of the current one + database)

Is what I did, doesn't work...

[NemoPS]

Sounds weird cause you described it as you were uploading the archive itself  Can you describe the procedure you followed?

[KDC Model Cars]

Turns out there was a problem with writing permissions or something...

Now it finally worked, after dowloading the backward compatibility module