Post by Dhaupin » Sat Oct 18, 2014 5:04 am

To make this short and sweet, POODLE is yet another exploit in the string of recent SSL events. Its basically another man in the middle. Certain headers attempt to prevent this, but only if its a modernized browser, and the server sends it. Repair it ASAP. http://googleonlinesecurity.blogspot.co ... sl-30.html

If you have a VPS server with WHM here is how you can quickly turn off SSLv3 (and SSLv2) http://www.liquidweb.com/kb/how-to-disa ... rom-poodle

If you need SSLv3 for some reason you can scope TLS_FALLBACK_SCSV support instead. Better off just cutting ties with v3 though since old head IE6 on WinXP has no concept of new protocol or standards. Darned if you do, Darned if you dont. Its time to finally move beyond old IE on XP support.
Last edited by Dhaupin on Sat Oct 18, 2014 6:13 am, edited 1 time in total.

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA

Post by Dhaupin » Sat Oct 18, 2014 6:04 am

Oh if you need to test, you can also use Qualys https://www.ssllabs.com/ssltest/analyze.html If you are on a shared server and have no access to SSL guts, you should show the results of your test to your host. They should make it at least a B grade.

If your server and legacy ciphers are good, you should score a grade B no problem. Shameless promotion, here is what the results should look like and how high you can score using a buttoned up server + SSL & Secure Policies manager, even when using SNI (coming soon to extension market)

Attachments

a-plus.png

Modern SSL Env + FORCED + HSTS + CSP + Fallbacks = Institution Grade OC - a-plus.png (37.88 KiB) Viewed 9050 times


https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA

Post by HealthWyze » Wed Oct 29, 2014 11:26 am

After disabling SSLv3, PayPal standard IPN does not not work. Therefore, orders through PayPal begin to appear in "Missing orders".

Newbie

Posts

Joined
Fri Oct 24, 2014 10:23 am


Post by Randem » Wed Oct 29, 2014 11:38 am

I just got a notice from my credit card processor stating that SSL v3 is going to be discontinued and wanted to KNOW if there was anything that I needed to do to keep my stores up and running?

My server that OpenCart is installed on does not support SSL v2 or SSL v3

Does OpenCart use either?

NEVER take serious; anyone who gives negative impact statements with no ABSOLUTE proof!
OpenCart Helpful Information * Upgrade 1.5 to 2.1 * Upgrade 2.1 to 2.2
"Why do people NEVER have enough time to do it right but ALWAYS enough time to do it over?"
DO NOT EVER GIVE SOMEONE YOU DON"T KNOW ADMIN ACCESS TO ANYTHING!
I am NOT affiliated with OpenCart


User avatar
Active Member

Posts

Joined
Sat Sep 27, 2014 9:17 am

Post by cgchris99 » Fri Oct 31, 2014 11:31 pm

Any updates on this?

New member

Posts

Joined
Tue May 14, 2013 2:18 am

Post by Dhaupin » Mon Nov 03, 2014 12:41 pm

@HealthWyze
Apparently there is a fix in progress for Paypal to make IPN successful, although at this point its unclear to me whether its server side, OC side, or Paypal side. They made a new thread to discuss it here: http://forum.opencart.com/viewtopic.php?f=179&t=132859 Could you share what paypal module you are using as well as any other data like your hosting company for James and crew?

Been using Paypal payments standard (the one that uses just an email) and it seems to work fine, although it *could* be related to the Cipher suite. Many hosts are just TLS possibly without providing a backwards compatible suite. In the thread mentioned above, I shared the ciphers that seem to work, at least with that Paypal IPN method. http://forum.opencart.com/viewtopic.php ... 59#p523913


@Randem & @chchris99
As far as default OC itself, not counting 3rd party stuff like Paypal IPN (which is like an API), there doesnt seem to be any issue with TLS 1.0+. Not saying anything will rear its head, but if you are experiencing issues with core components of OC, it is probably host related. Is anyone else running into things?

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA

Post by HealthWyze » Sun Nov 09, 2014 8:38 pm

Dhaupin wrote:@HealthWyze
Apparently there is a fix in progress for Paypal to make IPN successful, although at this point its unclear to me whether its server side, OC side, or Paypal side. They made a new thread to discuss it here: http://forum.opencart.com/viewtopic.php?f=179&t=132859 Could you share what paypal module you are using as well as any other data like your hosting company for James and crew?

Been using Paypal payments standard (the one that uses just an email) and it seems to work fine, although it *could* be related to the Cipher suite. Many hosts are just TLS possibly without providing a backwards compatible suite. In the thread mentioned above, I shared the ciphers that seem to work, at least with that Paypal IPN method. http://forum.opencart.com/viewtopic.php ... 59#p523913
I am using PayPal Standard on a dedicated server, running CentOS 6.0, so we have total control. I tried using your cipher suite, but that didn't fix it. Here are our current SSL settings in Apache:

Code: Select all

SSLEngine on
SSLProtocol All -SSLv3
SSLHonorCipherOrder on

SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:TLS_RSA_WITH_AES_128_CBC_SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:AES128:AES256:ECDHE-ECDSA-AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK"
I'm not sure what else it could be. I'll be happy to answer any questions that you have, in the event that I can be of help.

Newbie

Posts

Joined
Fri Oct 24, 2014 10:23 am


Post by Dhaupin » Fri Nov 14, 2014 5:42 am

Hmm very strange....I cant replicate this, not sure why. Has anyone gotten in contact with Paypal? Id be happy to talk to them if i find a minute this weekend

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA

Post by williham » Fri Nov 14, 2014 7:30 pm

Just had an email from paypal saying that they're stopping support for SSL 3.0. We're using Paypal Pro to accept cards- is the payment module likely to need any modifications or should it be ok?

Many Thanks

Newbie

Posts

Joined
Tue Feb 08, 2011 8:13 pm

Post by HealthWyze » Mon Nov 17, 2014 12:45 pm

We managed to fix the problem. We figured out that PayPal is sending its IPNs using only TLS 1.1 or TLS 1.2, so servers that only accept TLS 1.0 cannot accept the IPNs. Apache and OpenSSL need to be recompiled to fix the problem. Unfortunately, the version of OpenSSL that is included with our Linux distribution will not compile in the right TLS support for Apache, even though it supposedly does. This may be a widespread problem. We published a report about how to fix the problems here:

http://healthwyze.org/index.php/compone ... l-ipn.html

Newbie

Posts

Joined
Fri Oct 24, 2014 10:23 am


Post by pooja-vishnoi » Sat Nov 22, 2014 2:34 pm

Hi,
I also got a mail from paypal regarding SSL 3.0.
As per details provided, updates has been done on sandbox so we can test our system with sandbox. If it is working fine with no error, it will work fine on paypal upgraded system as well which is going to be implemented in dec.

I choosed sandbox mode in paypal payment options in opencart and then run a test transaction which ran successfully with no error.
I assume my system is fine and i do not need to change.
You guys can also test it with sandbox.

Thanks
pooja
www.linensncurtains.com

New member

Posts

Joined
Sun Feb 10, 2013 9:58 pm

Post by lpotts » Thu Nov 27, 2014 8:27 pm

Hi all,

We too have come across this with Paypal recently. We are on a shared hosting package with TSOHost - It's cheap and seems to do the job for us. I have been on the SSLLabs website and it says that we are vulnerable to SSLv3 attacks... However when I spoke with TSOHost yesterday they said they have disabled it on all of their servers, so does this mean that we are okay? The guy at TSOHost said that we may need to change something on our side also, but gave no indication as to what?

I am not technically gifted in such areas, and any assistance would be greatly appreciated.

Best regards,

Luke

New member

Posts

Joined
Wed Jan 09, 2013 2:06 am
Who is online

Users browsing this forum: No registered users and 8 guests