Post by James » Fri Oct 24, 2014 2:06 am

SSLv3 is no longer secure, most hosts will have had this enabled and you should check that it is no longer being used on your server.

TLS 1, 1.1 and 1.2 are now the only ones that are considered to be secure.

Dhaupin has already created a good thread about ways to disable here

If you have shared hosting, just message your hosting provider who will fix or confirm it already has been fixed. If anyone has any good links about helping with this please post below.

I'll sticky this topic for a week.

User avatar
Active Member

Posts

Joined
Wed May 27, 2009 6:07 am
Location - Leeds, UK

Post by rph » Fri Oct 24, 2014 2:33 am

You can test whether your server is vulnerable at https://www.poodlescan.com .

-Ryan


rph
Expert Member

Posts

Joined
Fri Jan 08, 2010 5:05 am
Location - Lincoln, Nebraska

Post by James » Tue Oct 28, 2014 1:32 am

Out of interest has anyone had any difficulties with the PayPal IPNs not coming through when you only have TLS enabled?

User avatar
Active Member

Posts

Joined
Wed May 27, 2009 6:07 am
Location - Leeds, UK

Post by uksitebuilder » Tue Oct 28, 2014 2:17 am

James wrote:Out of interest has anyone had any difficulties with the PayPal IPNs not coming through when you only have TLS enabled?
A fair few posts in the Forum regarding this James

As of yet I have hit a brick wall in trying to assist wit hthe various info gathered from other sources on a code fix.

User avatar
Guru Member

Posts

Joined
Thu Jun 09, 2011 11:37 pm
Location - United Kindgom

Post by James » Tue Oct 28, 2014 3:28 am

uksitebuilder wrote:
James wrote:Out of interest has anyone had any difficulties with the PayPal IPNs not coming through when you only have TLS enabled?
A fair few posts in the Forum regarding this James

As of yet I have hit a brick wall in trying to assist wit hthe various info gathered from other sources on a code fix.
Thanks, I am in contact with PayPal currently about this issue but we do not seem to be getting very far. I don't believe that there is a code fix from OC side as the IPN notifications just don't even hit the script - looks like the handshake is failing. If you come across any threads send them over here and I can update MTS (PayPal support) with more examples etc.

J

User avatar
Active Member

Posts

Joined
Wed May 27, 2009 6:07 am
Location - Leeds, UK

Post by uksitebuilder » Tue Oct 28, 2014 4:16 am

I think most likely James that the problem is with the Server host and what settings they have for Curl in the conf file (or similar)

User avatar
Guru Member

Posts

Joined
Thu Jun 09, 2011 11:37 pm
Location - United Kindgom

Post by James » Tue Oct 28, 2014 5:47 am

uksitebuilder wrote:I think most likely James that the problem is with the Server host and what settings they have for Curl in the conf file (or similar)
The IPN doesn't rely on curl until the postback/verification - the errors we have seen is that the actual IPN fails to connect to the notify script, your right that it is still likely a host issue whether its a limited set of ciphers that PayPal doesn't support or that they arn't using TLS at all (yeah we have even seen some people with ONLY SSLv2 enabled!)

I think I have sorted the required options now but running some tests before confirming.

J

User avatar
Active Member

Posts

Joined
Wed May 27, 2009 6:07 am
Location - Leeds, UK

Post by Dhaupin » Wed Oct 29, 2014 7:14 am

Thanks James. Not sure what PayPal method youre using but over the last couple weeks we have ran like 50 PayPal standard through with no issue using TLS 1.0+ on Moz legacy ciphers from aprx August -- is there anything I can help with, or are you speaking of the API based PP?

EDIT: here are the ciphers that work, at least with standard IPN (for us): ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK

CentOs 6.5 on CloudLinux kernel, but that shouldnt matter.

https://creadev.org | support@creadev.org - Opencart Extensions, Integrations, & Development. Made in the USA.


User avatar
Active Member

Posts

Joined
Tue May 13, 2014 3:45 am
Location - PA

Post by asdf4321 » Wed Oct 29, 2014 7:28 am

James wrote:Out of interest has anyone had any difficulties with the PayPal IPNs not coming through when you only have TLS enabled?
Hi James, yes, orders paid with Paypal no longer receive order confirmation emails, and stock is not subtracted.

My host disabled SSLv3, and is now using TLS. That's when the problem seems to have started.

When I check the IPN details in Paypal, the HTTP response code is blank. I tried adding this to the controller/payments/PP_standard.php file:

curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);

but Paypal orders still have the same problem.

Thanks very much!

Newbie

Posts

Joined
Wed Oct 29, 2014 6:43 am

Post by ipthena » Fri Dec 12, 2014 10:23 pm

I am using PayPal Payflow iFrame, and i'm hosted on GoDaddy. I have run the test at https://www.ssllabs.com to confirm that GoDaddy has updated their SSL to TLS only. Paypal is still having issues with the Silent Post back to my server. They tell me there is an SSL Handshake error: "java.lang.RuntimeException: Could not generate DH keypair ++ "

In October everything was working fine...come November it starts to fail. The payments are going thru perfectly, i receive the money in my paypal account,BUT the silent post back to my site from paypal isn't working. The orders are showing up as "missing" and i receive no order confirmation emails.

GoDaddy says i have to update my code? i've looked into the code, but i dont' know what i need to change.

Any help is appreciated! Thanks!

Newbie

Posts

Joined
Sun Dec 07, 2014 3:18 am
Who is online

Users browsing this forum: No registered users and 47 guests