View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005918 | module PayPal | module PayPal - sub | public | 2014-10-15 16:58 | 2014-10-23 15:22 |
| Reporter | hendrikfreytag | Assigned To | |||
| Priority | immediate | Severity | major | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 3.0.0 | ||||
| Target Version | 3.0.3 | Fixed in Version | 3.0.3 | ||
| Summary | 0005918: PayPal Extension uses SSL3 | ||||
| Description | In oepaypalcurl.php the SSL version is set to 3. But you can't connect to the paypal sandbox with that protocol version. I noticed that today none of my testshops with paypal sandbox will work and I get an error 35. I changed nothing and yesterday I had no problems. Maybe paypal removed support for SSL3? Maybe this is related to the poodle news: http://en.wikipedia.org/wiki/POODLE | ||||
| Steps To Reproduce | I wrote a test script. It is attached. For reproducing it in the shop: Just try using paypal with a sandbox account. It will get Curl error: 35, after the shop tries to connect to paypal. | ||||
| Additional Information | protected $_aEnvironmentParameters = array( 'CURLOPT_VERBOSE' => 0, 'CURLOPT_SSL_VERIFYPEER' => false, 'CURLOPT_SSL_VERIFYHOST' => false, 'CURLOPT_SSLVERSION' => 3, 'CURLOPT_RETURNTRANSFER' => 1, 'CURLOPT_POST' => 1, 'CURLOPT_HTTP_VERSION' => CURL_HTTP_VERSION_1_1, ); ---------------------------------------------------------------------- If you want to add this fix by yourself please look at these commits: https://github.com/OXID-eSales/paypal/commit/444f42fdec5fe4d1d7f688d699b47bd123501d8e https://github.com/OXID-eSales/paypal/commit/6cff4fd28863648aae60d6a7f52877429c45730e | ||||
| Tags | No tags attached. | ||||
| Attached Files | |||||
| has duplicate | 0005921 | closed | jurate.baseviciene | Redirect checkout -> PayPal not possible with curl error 35 |
|
|
You can call the normal endpoint (https://api-3t.paypal.com/nvp) with that option. So this is now only a problem with the sandbox. But why using ssl3 anyway? |
|
|
Relevant merge for the paypal SDK github page: https://github.com/paypal/rest-api-sdk-php/pull/127 |
|
|
Also relevant: http://stackoverflow.com/questions/26378351/error1408f10bssl-routinesssl3-get-recordwrong-version-number-paypal-maybe |
|
|
The root of the Problem seemed to be on Paypal side: -------- [PayPal Notifications] Live Site Status Update Notification: Some PayPal merchants may be experiencing a higher than usual error rate for: 10001 Error , "SSL read error" and/or "SSL protocol error" while making PayPal API calls. Our technical teams have been engaged and are actively troubleshooting the issue. Sent Oct 15, 2014 10:03 AM PDT by RGL Start time: Oct 15, 2014 08:59 AM PDT If possible, update your SSL client library to support TLS1.0 and up. Questions? Please contact PayPal Merchant Technical Services<https://ppmts.custhelp.com/> by filing a ticket; refer to PP-LIVE-5787 -------- |
|
|
Still no connection to paypal sandbox possible. Maybe it is possible to just delete this line: https://github.com/OXID-eSales/paypal/blob/b-dev/source/modules/oe/oepaypal/core/oepaypalcurl.php#L64 |
|
|
Questions in our forum about that: http://forum.oxid-esales.com/showthread.php?p=151286#post151286 |
|
|
This bug is probably caused because of the deactivation of SSLv3 by Paypal due to the actual POODLE leak We discovered that they deactivated SSLv3 on sandbox since 2014-10-15 early morning and also deactivated SSLv3 on production for about an hour during the evening of the same day. Actually SSLv3 is available again on production. The main problem in the actual version of the module is the following line 'CURLOPT_SSLVERSION' => 3, This forces the curl communication over vulnerable SSLv3 and causes the observed curl error because the handshake will fail. Setting this curl option to 1 will force communication over recommended TLS1: 'CURLOPT_SSLVERSION' => 1, Anyway we discovered this problem also for customers using the old encrypted efire payal module which is actually stilled used by many customers. |
|
|
We need confirmation from PayPal which is the correct version to use. 2nd and 4th are also theoretically available. |
|
|
SSL version set to TLSv1 in all patches from 3.0 |
