SSLv3 is no longer secure, most hosts will have had this enabled and you should check that it is no longer being used on your server.
TLS 1, 1.1 and 1.2 are now the only ones that are considered to be secure.
Dhaupin has already created a good thread about ways to disable here
If you have shared hosting, just message your hosting provider who will fix or confirm it already has been fixed. If anyone has any good links about helping with this please post below.
I'll sticky this topic for a week.
A fair few posts in the Forum regarding this JamesJames wrote:Out of interest has anyone had any difficulties with the PayPal IPNs not coming through when you only have TLS enabled?
As of yet I have hit a brick wall in trying to assist wit hthe various info gathered from other sources on a code fix.
Thanks, I am in contact with PayPal currently about this issue but we do not seem to be getting very far. I don't believe that there is a code fix from OC side as the IPN notifications just don't even hit the script - looks like the handshake is failing. If you come across any threads send them over here and I can update MTS (PayPal support) with more examples etc.uksitebuilder wrote:A fair few posts in the Forum regarding this JamesJames wrote:Out of interest has anyone had any difficulties with the PayPal IPNs not coming through when you only have TLS enabled?
As of yet I have hit a brick wall in trying to assist wit hthe various info gathered from other sources on a code fix.
J
I think most likely James that the problem is with the Server host and what settings they have for Curl in the conf file (or similar)
The IPN doesn't rely on curl until the postback/verification - the errors we have seen is that the actual IPN fails to connect to the notify script, your right that it is still likely a host issue whether its a limited set of ciphers that PayPal doesn't support or that they arn't using TLS at all (yeah we have even seen some people with ONLY SSLv2 enabled!)uksitebuilder wrote:I think most likely James that the problem is with the Server host and what settings they have for Curl in the conf file (or similar)
I think I have sorted the required options now but running some tests before confirming.
J
Thanks James. Not sure what PayPal method youre using but over the last couple weeks we have ran like 50 PayPal standard through with no issue using TLS 1.0+ on Moz legacy ciphers from aprx August -- is there anything I can help with, or are you speaking of the API based PP?
EDIT: here are the ciphers that work, at least with standard IPN (for us): ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
CentOs 6.5 on CloudLinux kernel, but that shouldnt matter.
EDIT: here are the ciphers that work, at least with standard IPN (for us): ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
CentOs 6.5 on CloudLinux kernel, but that shouldnt matter.
https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.
Hi James, yes, orders paid with Paypal no longer receive order confirmation emails, and stock is not subtracted.James wrote:Out of interest has anyone had any difficulties with the PayPal IPNs not coming through when you only have TLS enabled?
My host disabled SSLv3, and is now using TLS. That's when the problem seems to have started.
When I check the IPN details in Paypal, the HTTP response code is blank. I tried adding this to the controller/payments/PP_standard.php file:
curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
but Paypal orders still have the same problem.
Thanks very much!
I am using PayPal Payflow iFrame, and i'm hosted on GoDaddy. I have run the test at https://www.ssllabs.com to confirm that GoDaddy has updated their SSL to TLS only. Paypal is still having issues with the Silent Post back to my server. They tell me there is an SSL Handshake error: "java.lang.RuntimeException: Could not generate DH keypair ++ "
In October everything was working fine...come November it starts to fail. The payments are going thru perfectly, i receive the money in my paypal account,BUT the silent post back to my site from paypal isn't working. The orders are showing up as "missing" and i receive no order confirmation emails.
GoDaddy says i have to update my code? i've looked into the code, but i dont' know what i need to change.
Any help is appreciated! Thanks!
In October everything was working fine...come November it starts to fail. The payments are going thru perfectly, i receive the money in my paypal account,BUT the silent post back to my site from paypal isn't working. The orders are showing up as "missing" and i receive no order confirmation emails.
GoDaddy says i have to update my code? i've looked into the code, but i dont' know what i need to change.
Any help is appreciated! Thanks!
Who is online
Users browsing this forum: No registered users and 1 guest