X-Cart forums - POODLE vulnerability in SSLv3

X-Cart forums (https://forum.x-cart.com/index.php)

- X-Payments issues & questions (https://forum.x-cart.com/forumdisplay.php?f=50)

- - POODLE vulnerability in SSLv3 (https://forum.x-cart.com/showthread.php?t=70268)

Re: POODLE vulnerability in SSLv3

> Will test out the new connector - when you say "It does support v1.0.6 but only for
> credit card processing.", what does it not support exactly?

Well, this is not a good thread to discuss that.

Everything we added in v2.x - PCI compliant credit card saving, recurring orders, PA-DSS 2.0, better API to work with shopping carts like X-Cart, etc. Just check our blog for X-Payments updates.

Re: POODLE vulnerability in SSLv3

Is there a patch needed for the Magento x-Payments connector?

-atm

QUOTE=ambal]Hi Everyone,

As you may already know right after OpenSSL Heartblead vulnerability a new one has been found in SSL protocol - POODLE.

The POODLE vulnerability is a weakness in version 3 of the SSL protocol that allows an attacker in a man-in-the-middle context to decipher the plain text content of an SSLv3 encrypted message.

You can read more about POODLE at
https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability

Please note - this is NOT a vulnerability in X-Payments or X-Payments connector modules for X-Cart. This is a vulnerability in ciphering software used by almost any server in the Internet to establish secure connections.

What needs to be done:

1) X-Cart 4 users - apply Attachment 3956 patch to your X-Cart that will disable forced use of SSLv3 and enable automatic selection of TLS or SSL so if your hosting provider disabled SSLv3 support for your X-Payments installation your X-Cart will be able to connect with X-Payments using TLS.

Or you can download our new connectors for X-Cart 4 at
https://drive.google.com/a/x-cart.com/folderview?id=0B6p7sehSZL8_akhxR0VwQ0dta2M&usp=dri ve_web#list

They have been updated today to have the patch out of the box.

X-Cart 5 users - install a new version of X-Payments connector as soon as we release it or remove this line of code:

PHP Code:


		
			
curl_setopt($ch, CURLOPT_SSLVERSION, 3);

in file of X-Cart 5
classes/XLite/Module/CDev/XPaymentsConnector/Core/XPaymentsClient.php

UPD: X-Cart 5 patch - Attachment 3957

2) make sure your server where you run X-Cart uses cURL v 7.18.1 or newer.
If you use X-Payments Enterprise/Downloadable license - check the same for your X-Payments server.

If your cURL is older - update it.
If you have no idea what is cURL - consult with your hosting admin.

And since I mentioned the OpenSSL Heartbleed - check your OpenSSL version - it should be at least 1.0.1g[/quote]

Re: POODLE vulnerability in SSLv3

If i only use PayPal do i need the patch or it's not relevant to my cart?

Re: POODLE vulnerability in SSLv3

Quote:

Originally Posted by tam10

If i only use PayPal do i need the patch or it's not relevant to my cart?

If you are accepting PayPal payments through X-Payments then you definitely need this patch.

Re: POODLE vulnerability in SSLv3

You can test here https://www.ssllabs.com/ssltest/

Kev

Re: POODLE vulnerability in SSLv3

There is some good advice here too https://access.redhat.com/solutions/1232413

Happy to say I'm A- now (cert renewal will bring to A) :-)

Re: POODLE vulnerability in SSLv3

Careful with turning off SSL3 on server level as some 3rd party services and payment gateways may require SSL3. If this is disabled on server level you need to immediately test the site, all https pages and place test orders to make sure all work.

Re: POODLE vulnerability in SSLv3

Quote:

You can test here https://www.ssllabs.com/ssltest/

Thanks for the link. I tried it on my server and it says "This server is not vulnerable to the POODLE attack because it doesn't support SSL 3." Looks like I dodged that bullet.