Re: POODLE vulnerability in SSLv3
XC uses SSL 3 in these files as well
func.https_X.php where X is libcurl, curl, openssl, ssleay It is OFF by default but other code in XC may set it to true when used. Solution will be to find the line in the file that sets the option for SSL3 and comment it out for example in func.https_libcurl.php there is this PHP Code:
so just comment it out PHP Code:
This is untested so make sure you do some test orders if changing it QT can we get clarification on this and a patch for XC if possible |
Re: POODLE vulnerability in SSLv3
We edited conf file to exclude SSLv3 from SSLProtocol. We did online test and it passes. Do we still need to patch X-payment connector files?
|
Re: POODLE vulnerability in SSLv3
Quote:
Yes, if you use X-Payments. This thread was originally created about dealing with the POODLE in X-Payments. |
Re: POODLE vulnerability in SSLv3
Quote:
This is the correct patch. Our team is working on the 4.6.5 release planned to this week. This version will have the necessary corrections to do not use SSLv3 |
Re: POODLE vulnerability in SSLv3
Re: Magento users of X-Payments
Nothing needed to be patched in the connector module as our Magento connector for X-Payments relies on using built-in Magento HTTPS module. So I advise to check with Magento regarding whether or not Magento needs to be patched. |
Re: POODLE vulnerability in SSLv3
We are having an issue with this on XC 4.5.5.
We installed the newest X-Payments Connector, and received the following errors in: x-errors_xpay_connector-xxxxxx.php Code:
[20-Oct-2014 13:29:34] xpay_connector message: Then in x-errors_payments-xxxxxx.php: Code:
[20-Oct-2014 13:29:34] PAYMENTS message: EDIT: We successfully reverted to old setup, but would still like to know how to fix the above errors. |
Re: POODLE vulnerability in SSLv3
I fixed two stores using this fix. Thank you so much.
X-cart 4.54 and 4.52 with x-payment 1.06. |
Re: POODLE vulnerability in SSLv3
for those not using xpayments, im on 4.6.4, i added
SSLProtocol all -SSLv2 -SSLv3 to my pre-virtual host include file on apache, pre_virtualhost_global.conf passed the test, This is a CENTOS 6.4 x86_64 standard godaddy dedicated server. |
Re: POODLE vulnerability in SSLv3
I past the test
"This server is not vulnerable to the POODLE attack because it doesn't support SSL 3" Does it mean i do not need to do anything? I did fall this (what is it?) IE 6 / XP No FS 1 No SNI 2 Protocol or cipher suite mismatch |
Re: POODLE vulnerability in SSLv3
We are having trouble with an x-cart installation using Version 4.5.5 with X-PAYMENTS v.1.0.2.
After turning off SSL3 on the server we no longer had the ability to enter credit card information within the checkout process. We therefore patched our x-cart installation manually by: 1.) removing the line of code curl_setopt($ch, CURLOPT_SSLVERSION, 3); from modules/XPayments_Connector/xpc_func.php We did not see the following line within our version of x-cart: curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'DEFAULT'); So this step was bypassed. 2.) We then tested with no luck. 3.) We then Removed if ($use_ssl3) curl_setopt ($ch, CURLOPT_SSLVERSION, 3); from the func.https_X.php file and tested again. Still no luck 4.) We then installed the newest X-Payments Connector, and white screened the entire cart. Any suggestions? |
All times are GMT -8. The time now is 03:04 PM. |
Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.