View Issue Details

IDProjectCategoryView StatusLast Update
0005918module PayPalmodule PayPal - subpublic2014-10-23 15:22
Reporterhendrikfreytag Assigned To 
PriorityimmediateSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version3.0.0 
Target Version3.0.3Fixed in Version3.0.3 
Summary0005918: PayPal Extension uses SSL3
DescriptionIn oepaypalcurl.php the SSL version is set to 3. But you can't connect to the paypal sandbox with that protocol version. I noticed that today none of my testshops with paypal sandbox will work and I get an error 35. I changed nothing and yesterday I had no problems. Maybe paypal removed support for SSL3?

Maybe this is related to the poodle news: http://en.wikipedia.org/wiki/POODLE
Steps To ReproduceI wrote a test script. It is attached.

For reproducing it in the shop:
Just try using paypal with a sandbox account. It will get Curl error: 35, after the shop tries to connect to paypal.
Additional Information    protected $_aEnvironmentParameters = array(
        'CURLOPT_VERBOSE' => 0,
        'CURLOPT_SSL_VERIFYPEER' => false,
        'CURLOPT_SSL_VERIFYHOST' => false,
        'CURLOPT_SSLVERSION' => 3,
        'CURLOPT_RETURNTRANSFER' => 1,
        'CURLOPT_POST' => 1,
        'CURLOPT_HTTP_VERSION' => CURL_HTTP_VERSION_1_1,
    );

----------------------------------------------------------------------
If you want to add this fix by yourself please look at these commits:
https://github.com/OXID-eSales/paypal/commit/444f42fdec5fe4d1d7f688d699b47bd123501d8e
https://github.com/OXID-eSales/paypal/commit/6cff4fd28863648aae60d6a7f52877429c45730e
TagsNo tags attached.
Attached Files
curltest.php (282 bytes)

Relationships

has duplicate 0005921 closedjurate.baseviciene Redirect checkout -> PayPal not possible with curl error 35 

Activities

hendrikfreytag

2014-10-15 17:05

reporter   ~0010234

You can call the normal endpoint (https://api-3t.paypal.com/nvp) with that option. So this is now only a problem with the sandbox. But why using ssl3 anyway?

simon_stark

2014-10-15 18:07

reporter   ~0010236

Relevant merge for the paypal SDK github page: https://github.com/paypal/rest-api-sdk-php/pull/127

simon_stark

2014-10-15 18:09

reporter   ~0010237

Also relevant: http://stackoverflow.com/questions/26378351/error1408f10bssl-routinesssl3-get-recordwrong-version-number-paypal-maybe

simon_stark

2014-10-16 09:15

reporter   ~0010238

The root of the Problem seemed to be on Paypal side:


--------
[PayPal Notifications]
Live Site Status Update
Notification: Some PayPal merchants may be experiencing a higher than usual error rate for:
10001 Error , "SSL read error" and/or "SSL protocol error" while making PayPal API calls.

Our technical teams have been engaged and are actively troubleshooting the issue.
Sent Oct 15, 2014 10:03 AM PDT by RGL

Start time: Oct 15, 2014 08:59 AM PDT
If possible, update your SSL client library to support TLS1.0 and up.
Questions? Please contact PayPal Merchant Technical Services<https://ppmts.custhelp.com/> by filing a ticket; refer to PP-LIVE-5787

--------

hendrikfreytag

2014-10-16 09:27

reporter   ~0010240

Last edited: 2014-10-16 09:44

Still no connection to paypal sandbox possible.

Maybe it is possible to just delete this line:
https://github.com/OXID-eSales/paypal/blob/b-dev/source/modules/oe/oepaypal/core/oepaypalcurl.php#L64

hendrikfreytag

2014-10-16 09:46

reporter   ~0010241

Questions in our forum about that:
http://forum.oxid-esales.com/showthread.php?p=151286#post151286

bjoerk

2014-10-17 09:43

reporter   ~0010247

This bug is probably caused because of the deactivation of SSLv3 by Paypal due to the actual POODLE leak

We discovered that they deactivated SSLv3 on sandbox since 2014-10-15 early morning and also deactivated SSLv3 on production for about an hour during the evening of the same day.
Actually SSLv3 is available again on production.

The main problem in the actual version of the module is the following line

  'CURLOPT_SSLVERSION' => 3,
  
This forces the curl communication over vulnerable SSLv3 and causes the observed curl error because the handshake will fail.

Setting this curl option to 1 will force communication over recommended TLS1:

   'CURLOPT_SSLVERSION' => 1,

Anyway we discovered this problem also for customers using the old encrypted efire payal module which is actually stilled used by many customers.

saulius.stasiukaitis

2014-10-20 12:37

reporter   ~0010253

We need confirmation from PayPal which is the correct version to use. 2nd and 4th are also theoretically available.

arturas.sevcenko

2014-10-21 15:56

reporter   ~0010257

SSL version set to TLSv1 in all patches from 3.0