To make this short and sweet, POODLE is yet another exploit in the string of recent SSL events. Its basically another man in the middle. Certain headers attempt to prevent this, but only if its a modernized browser, and the server sends it. Repair it ASAP. http://googleonlinesecurity.blogspot.co ... sl-30.html
If you have a VPS server with WHM here is how you can quickly turn off SSLv3 (and SSLv2) http://www.liquidweb.com/kb/how-to-disa ... rom-poodle
If you need SSLv3 for some reason you can scope TLS_FALLBACK_SCSV support instead. Better off just cutting ties with v3 though since old head IE6 on WinXP has no concept of new protocol or standards. Darned if you do, Darned if you dont. Its time to finally move beyond old IE on XP support.
Oh if you need to test, you can also use Qualys https://www.ssllabs.com/ssltest/analyze.html If you are on a shared server and have no access to SSL guts, you should show the results of your test to your host. They should make it at least a B grade.
If your server and legacy ciphers are good, you should score a grade B no problem. Shameless promotion, here is what the results should look like and how high you can score using a buttoned up server + SSL & Secure Policies manager, even when using SNI (coming soon to extension market)
If your server and legacy ciphers are good, you should score a grade B no problem. Shameless promotion, here is what the results should look like and how high you can score using a buttoned up server + SSL & Secure Policies manager, even when using SNI (coming soon to extension market)
Attachments
Modern SSL Env + FORCED + HSTS + CSP + Fallbacks = Institution Grade OC - a-plus.png (37.88 KiB) Viewed 9050 times
https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.
After disabling SSLv3, PayPal standard IPN does not not work. Therefore, orders through PayPal begin to appear in "Missing orders".
I just got a notice from my credit card processor stating that SSL v3 is going to be discontinued and wanted to KNOW if there was anything that I needed to do to keep my stores up and running?
My server that OpenCart is installed on does not support SSL v2 or SSL v3
Does OpenCart use either?
My server that OpenCart is installed on does not support SSL v2 or SSL v3
Does OpenCart use either?
NEVER take serious; anyone who gives negative impact statements with no ABSOLUTE proof!
OpenCart Helpful Information * Upgrade 1.5 to 2.1 * Upgrade 2.1 to 2.2
"Why do people NEVER have enough time to do it right but ALWAYS enough time to do it over?"
DO NOT EVER GIVE SOMEONE YOU DON"T KNOW ADMIN ACCESS TO ANYTHING!
I am NOT affiliated with OpenCart
@HealthWyze
Apparently there is a fix in progress for Paypal to make IPN successful, although at this point its unclear to me whether its server side, OC side, or Paypal side. They made a new thread to discuss it here: http://forum.opencart.com/viewtopic.php?f=179&t=132859 Could you share what paypal module you are using as well as any other data like your hosting company for James and crew?
Been using Paypal payments standard (the one that uses just an email) and it seems to work fine, although it *could* be related to the Cipher suite. Many hosts are just TLS possibly without providing a backwards compatible suite. In the thread mentioned above, I shared the ciphers that seem to work, at least with that Paypal IPN method. http://forum.opencart.com/viewtopic.php ... 59#p523913
@Randem & @chchris99
As far as default OC itself, not counting 3rd party stuff like Paypal IPN (which is like an API), there doesnt seem to be any issue with TLS 1.0+. Not saying anything will rear its head, but if you are experiencing issues with core components of OC, it is probably host related. Is anyone else running into things?
Apparently there is a fix in progress for Paypal to make IPN successful, although at this point its unclear to me whether its server side, OC side, or Paypal side. They made a new thread to discuss it here: http://forum.opencart.com/viewtopic.php?f=179&t=132859 Could you share what paypal module you are using as well as any other data like your hosting company for James and crew?
Been using Paypal payments standard (the one that uses just an email) and it seems to work fine, although it *could* be related to the Cipher suite. Many hosts are just TLS possibly without providing a backwards compatible suite. In the thread mentioned above, I shared the ciphers that seem to work, at least with that Paypal IPN method. http://forum.opencart.com/viewtopic.php ... 59#p523913
@Randem & @chchris99
As far as default OC itself, not counting 3rd party stuff like Paypal IPN (which is like an API), there doesnt seem to be any issue with TLS 1.0+. Not saying anything will rear its head, but if you are experiencing issues with core components of OC, it is probably host related. Is anyone else running into things?
https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.
I am using PayPal Standard on a dedicated server, running CentOS 6.0, so we have total control. I tried using your cipher suite, but that didn't fix it. Here are our current SSL settings in Apache:Dhaupin wrote:@HealthWyze
Apparently there is a fix in progress for Paypal to make IPN successful, although at this point its unclear to me whether its server side, OC side, or Paypal side. They made a new thread to discuss it here: http://forum.opencart.com/viewtopic.php?f=179&t=132859 Could you share what paypal module you are using as well as any other data like your hosting company for James and crew?
Been using Paypal payments standard (the one that uses just an email) and it seems to work fine, although it *could* be related to the Cipher suite. Many hosts are just TLS possibly without providing a backwards compatible suite. In the thread mentioned above, I shared the ciphers that seem to work, at least with that Paypal IPN method. http://forum.opencart.com/viewtopic.php ... 59#p523913
Code: Select all
SSLEngine on
SSLProtocol All -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:TLS_RSA_WITH_AES_128_CBC_SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:AES128:AES256:ECDHE-ECDSA-AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK"
Hmm very strange....I cant replicate this, not sure why. Has anyone gotten in contact with Paypal? Id be happy to talk to them if i find a minute this weekend
https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.
We managed to fix the problem. We figured out that PayPal is sending its IPNs using only TLS 1.1 or TLS 1.2, so servers that only accept TLS 1.0 cannot accept the IPNs. Apache and OpenSSL need to be recompiled to fix the problem. Unfortunately, the version of OpenSSL that is included with our Linux distribution will not compile in the right TLS support for Apache, even though it supposedly does. This may be a widespread problem. We published a report about how to fix the problems here:
http://healthwyze.org/index.php/compone ... l-ipn.html
http://healthwyze.org/index.php/compone ... l-ipn.html
Hi,
I also got a mail from paypal regarding SSL 3.0.
As per details provided, updates has been done on sandbox so we can test our system with sandbox. If it is working fine with no error, it will work fine on paypal upgraded system as well which is going to be implemented in dec.
I choosed sandbox mode in paypal payment options in opencart and then run a test transaction which ran successfully with no error.
I assume my system is fine and i do not need to change.
You guys can also test it with sandbox.
Thanks
pooja
www.linensncurtains.com
I also got a mail from paypal regarding SSL 3.0.
As per details provided, updates has been done on sandbox so we can test our system with sandbox. If it is working fine with no error, it will work fine on paypal upgraded system as well which is going to be implemented in dec.
I choosed sandbox mode in paypal payment options in opencart and then run a test transaction which ran successfully with no error.
I assume my system is fine and i do not need to change.
You guys can also test it with sandbox.
Thanks
pooja
www.linensncurtains.com
Hi all,
We too have come across this with Paypal recently. We are on a shared hosting package with TSOHost - It's cheap and seems to do the job for us. I have been on the SSLLabs website and it says that we are vulnerable to SSLv3 attacks... However when I spoke with TSOHost yesterday they said they have disabled it on all of their servers, so does this mean that we are okay? The guy at TSOHost said that we may need to change something on our side also, but gave no indication as to what?
I am not technically gifted in such areas, and any assistance would be greatly appreciated.
Best regards,
Luke
We too have come across this with Paypal recently. We are on a shared hosting package with TSOHost - It's cheap and seems to do the job for us. I have been on the SSLLabs website and it says that we are vulnerable to SSLv3 attacks... However when I spoke with TSOHost yesterday they said they have disabled it on all of their servers, so does this mean that we are okay? The guy at TSOHost said that we may need to change something on our side also, but gave no indication as to what?
I am not technically gifted in such areas, and any assistance would be greatly appreciated.
Best regards,
Luke
Who is online
Users browsing this forum: No registered users and 8 guests
