POODLE vulnerability in SSLv3

Vacman · #**101** 11-07-2014, 06:53 AM

I am running 4.6.3 with X-Pay 1.0.6.
bCURL 7.24.0
CURL executable curl 7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5

I applied the XC patches and verified they were working. Then tested the server and found that the vulnerability was indeed there. Called in a ticket to Hostgator who responded with this."I have updated your Apache configuration to disable ssl 2 and ssl 3. As for 1.2 TLs this is not avaiable for your server. As you are on CentOs 5.11."

Of course this ended up breaking my X-Payments 1.06.

So I contacted them again: "I have disabled the restrictions against SSLv2/3 that were put in place and confirmed the Xpayments page now works correctly. However, you will need to reach out to the XPayments developer for an update to support TLS only connections over HTTPS so that we can put the restrictions back in place for SSLv2/3."

I then checked out the X-Payemnts pactches list on the first page of this thread and in the instructions for the 4.6.3 patch is states that I need to be using Payments 2.1.1 (or newer) for the patch....

Is there a patch for the 1.0.6?

ambal · #**102** 11-10-2014, 12:37 AM

> Is there a patch for the 1.0.6?

There is no need to patch X-Payments. It just uses SSL layer provider by the server. If your hosting cannot enable and provide TLS correctly - I advise to use a better hosting provider for your X-Payments or use our hosted plan.

gravel · #**103** 11-12-2014, 02:23 PM

Quote:

Originally Posted by cflsystems

XC uses SSL 3 in these files as well

func.https_X.php

where X is libcurl, curl, openssl, ssleay

It is OFF by default but other code in XC may set it to true when used. Solution will be to find the line in the file that sets the option for SSL3 and comment it out for example in

func.https_libcurl.php there is this

PHP Code:


		
			
if ($use_ssl3)
        curl_setopt ($ch, CURLOPT_SSLVERSION, 3);

so just comment it out

PHP Code:


		
			
//   if ($use_ssl3)
       // curl_setopt ($ch, CURLOPT_SSLVERSION, 3);

This is untested so make sure you do some test orders if changing it

QT can we get clarification on this and a patch for XC if possible

In ....ssleay.php does this line need modification, and if so, what?

Code:

  $execline .= " $ui[host] $ui[port] " . ($use_ssl3 ? '1' : '0') . ' ' . func_shellquote($cert) . ' ' . func_shellquote($kcert) . ' < ' . func_shellquote($tmpfile) . ' 2>' . func_shellquote($ignorefile);

Thanks.

aim · #**104** 11-12-2014, 07:32 PM

Quote:

Originally Posted by gravel

In ....ssleay.php does this line need modification, and if so, what?

Code:

  $execline .= " $ui[host] $ui[port] " . ($use_ssl3 ? '1' : '0') . ' ' . func_shellquote($cert) . ' ' . func_shellquote($kcert) . ' < ' . func_shellquote($tmpfile) . ' 2>' . func_shellquote($ignorefile);

Thanks.

Yes it does need small modification.

Please have a look on the
DIFF-xcart.diff file in the
remove_ssl3-2014-10-30{version}.tgz archive

http://forum.x-cart.com/showpost.php?p=379153&postcount=57

gravel · #**105** 11-13-2014, 07:09 AM

Quote:

Originally Posted by aim

Yes it does need small modification.

Please have a look on the
DIFF-xcart.diff file in the
remove_ssl3-2014-10-30{version}.tgz archive

http://forum.x-cart.com/showpost.php?p=379153&postcount=57

Thanks. This is for 4.0.17, and I don't see any files in "Updates and patches" for that version. What version should I use?

aim · #**106** 11-13-2014, 07:14 AM

Quote:

Originally Posted by gravel

Thanks. This is for 4.0.17, and I don't see any files in "Updates and patches" for that version. What version should I use?

http://forum.x-cart.com/showpost.php?p=379153&postcount=57

Quote:

Originally Posted by
Ksenia

NOT affected: 4.2.1 and earlier ; 4.6.5 (the latest currently) ; all versions of X-Cart 5.x

gravel · #**107** 11-13-2014, 12:45 PM

Quote:

Originally Posted by aim

http://forum.x-cart.com/showpost.php?p=379153&postcount=57

One of our sites has been experiencing a UPS problem for some customers (but not all). Even thought it's a 4.0.17 site, commenting out if statements with "ssl3" fixed the problem. See http://forum.x-cart.com/showthread.php?t=70478.

So again, I ask, for the file func_https_ssleay.php, how do I modify this line which contains "ssl3":

Code:

$execline .= " $ui[host] $ui[port] " . ($use_ssl3 ? '1' : '0') . ' ' . func_shellquote($cert) . ' ' . func_shellquote($kcert) . ' < ' . func_shellquote($tmpfile) . ' 2>' . func_shellquote($ignorefile);

aim · #**108** 11-13-2014, 08:35 PM

Quote:

Originally Posted by gravel

One of our sites has been experiencing a UPS problem for some customers (but not all). Even thought it's a 4.0.17 site, commenting out if statements with "ssl3" fixed the problem. See http://forum.x-cart.com/showthread.php?t=70478.

So again, I ask, for the file func_https_ssleay.php, how do I modify this line which contains "ssl3":

Code:

$execline .= " $ui[host] $ui[port] " . ($use_ssl3 ? '1' : '0') . ' ' . func_shellquote($cert) . ' ' . func_shellquote($kcert) . ' < ' . func_shellquote($tmpfile) . ' 2>' . func_shellquote($ignorefile);

Sorry for the misunderstanding.

It seems your https modules have 4.2.x/4.3.x or 4.x.x versions.

In this case you have to apply the
remove_ssl3-2014-10-30.4.2.3.tgz
or
remove_ssl3-2014-10-30.4.3.2.tgz
or
remove_ssl3-2014-10-30.4.x.x.tgz
patches.

Regarding the netssleay module you have to apply this patch

Code:

Index: payment/netssleay.pl
===================================================================
--- payment/netssleay.pl    2014-10-30 10:53:36.853370920 +0300
+++ payment/netssleay.pl    2014-10-30 10:56:14.703370767 +0300
@@ -9,15 +9,16 @@

 if ($#ARGV < 1) {
    print <<EOF;
- Usage: $0 host port use_ssl3 [cert [keycert]] < requestfile
+ Usage: $0 host port use_tls [cert [keycert]] < requestfile
 EOF
    exit;
 }

-($host, $port, $use_ssl3, $cert, $kcert) = @ARGV;
+($host, $port, $use_tls, $cert, $kcert) = @ARGV;

-if ($use_ssl3 == '1') {
-   $Net::SSLeay::ssl_version = 3;
+if ($use_tls == '1') {
+   # http://search.cpan.org/~mikem/Net-SSLeay-1.66/lib/Net/SSLeay.pod#KNOWN_BUGS_AND_CAVEATS
+   $Net::SSLeay::ssl_version = 10;
 }

 $request = "";

You can skip the func.https_ssleay.php file modification.

By the way it seems the onlinetools.ups.com UPS server still supports SSL3 protocol.
https://www.ssllabs.com/ssltest/analyze.html?d=onlinetools.ups.com&s=153.2.228.76& hideResults=on

Cameron · #**109** 11-16-2014, 12:58 PM

I'm posting this for posterity, and in case it might help someone else who is on 4.4.2 or similar.

When running the .diff patch, it couldn't patch func.https_libcurl.php

When I just replaced my old file with the new one, it wasn't possible to add products to the cart or view the cart. Bad.

So I went through the .diff file line by line and found that the only way to make it work was to omit the change:

Code:

-        curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 1);
+        curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 2);

I also manually changed all instances of ssl3 to tls instead of doing a copy/paste and just changed the 3 to a 1 on the line for

Code:

curl_setopt ($ch, CURLOPT_SSLVERSION, 3);

I didn't bother pasting in the // http://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html CURL_SSLVERSION_TLSv1
part since it's just a comment.

That got us back up and running along with patching the other files (some of those I also had to do by hand b/c of problems with the .diff files not matching.)

Anyhow, I hope that helps someone else out there.

gravel · #**110** 11-17-2014, 07:04 AM

Quote:

Originally Posted by aim

It seems your https modules have 4.2.x/4.3.x or 4.x.x versions.

In this case you have to apply the
remove_ssl3-2014-10-30.4.2.3.tgz
or
remove_ssl3-2014-10-30.4.3.2.tgz
or
remove_ssl3-2014-10-30.4.x.x.tgz
patches.

Thank you Ildar. We have 4.0.17 and 4.0.18 carts, and I can't find "4.x.x" patch files in my file area. I will try using the "4.2.3" files.

That's interesting about the UPS server. So far, though, we have had no further problems.