POODLE vulnerability in SSLv3

DanUK · #31 10-22-2014, 01:04 AM

OK, our hosts says they turned off SSLv3 on our server and the https://www.ssllabs.com/ssltest/ says we are not vulnerable to it.

Luckily we are still taking orders, no one has complained about inaccessible https pages over the past few days and https *appears* to be working ok. The only exception is one machine running Internet Explorer 11 where https pages give a 'page cannnot be displayed' and asks the user to change the settings to allow TLS etc This has got me a little worried although the same version IE on the other machines in the office are OK. I thought it was only earlier versions of IE that are affected?

Also, if it is disabled on the server do I also need to run the patch for my stores if everything is working ok?

Thanks

cherie · #32 10-25-2014, 10:45 AM

This is a bigger issue with X-Cart than just X-Payments though another thread was told to look here. For example, 4.3.2 and Authorize.net AIM now fails since Authorize.net turned off SSLv3 support. cflsystems' recommendation to disable SSLv3 is the generic fix but I'm surprised there hasn't been an official patch for some older versions of X-Cart, at least 4.3 and 4.4, and this thread should be moved to an appropriate area.

EDIT: The example of 4.3.2 and Authorize.net is incorrect. This setup appears to still be working fine.

Chris B · #33 10-25-2014, 01:58 PM

Obviously, after turning off SSL3 on the server we no longer had the ability to enter credit card information within the checkout process.

We then patched our x-cart Version 4.5.5 using X-PAYMENTS v.1.0.2 manually by:

1.) removing the line of code

curl_setopt($ch, CURLOPT_SSLVERSION, 3);

from

modules/XPayments_Connector/xpc_func.php

We did not see the following line within our version of x-cart:

curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'DEFAULT');

So this step was bypassed.

2.) We then Removed

if ($use_ssl3)
curl_setopt ($ch, CURLOPT_SSLVERSION, 3);

from

func.https_X.php file

3.) As per x-cart tech support, we then made sure our servers were running cURL v 7.18.1 or newer.

That was all we did and everything is working fine once again.

I hope this helps someone else.

tam10 · #34 10-26-2014, 06:40 AM

The hosts
disabled use of the SSLv3 protocol on hosting servers.

I do not use x-payment only the standard PayPal,
But on IE 11 can't place order (no https)
How do i fix it?

Thank you.

ambal · #35 10-27-2014, 11:14 PM

Chris,

> ... using X-PAYMENTS v.1.0.2

Not sure if you know it but it is a very old X-Payments v1.x version and you should upgrade to 1.0.6 or 2.1.1

manningbrothers · #36 10-28-2014, 08:45 AM

Quote:

Originally Posted by cherie

This is a bigger issue with X-Cart than just X-Payments though another thread was told to look here. For example, 4.3.2 and Authorize.net AIM now fails since Authorize.net turned off SSLv3 support. cflsystems' recommendation to disable SSLv3 is the generic fix but I'm surprised there hasn't been an official patch for some older versions of X-Cart, at least 4.3 and 4.4, and this thread should be moved to an appropriate area.

EDIT: The example of 4.3.2 and Authorize.net is incorrect. This setup appears to still be working fine.

I just got an email from Authorize.net stating that "on November 4, 2014, we will be disabling the use of SSLv3 within our systems. This means that if your website or shopping cart solution uses SSLv3 to send transactions to Authorize.Net, you will no longer be able to process transactions." We are using them on XC 4.3.2 and 4.4.2.. That explains why auth.net is still functioning for the moment, but what should we do before 11/4? Any help would be greatly appreciated.

moonslice · #37 10-28-2014, 04:50 PM

What about using x-cart 4.4.5 without x-payments - just a direct use of AuthorizeNet AIM under payment gateways? It looks like the second option only applies to x-payments - but will the patch in #1 work even without x-payments?

Quote:

What needs to be done:

1) X-Cart 4 users - apply Attachment 3956 patch to your X-Cart that will disable forced use of SSLv3 and enable automatic selection of TLS or SSL so if your hosting provider disabled SSLv3 support for your X-Payments installation your X-Cart will be able to connect with X-Payments using TLS.

Or you can download our new connectors for X-Cart 4 at
https://drive.google.com/a/x-cart.com/folderview?id=0B6p7sehSZL8_akhxR0VwQ0dta2M&usp=dri ve_web#list

cflsystems · #38 10-28-2014, 05:43 PM

See post #21 above, I think but not sure if you get all of these that should be enough

moonslice · #39 10-28-2014, 06:00 PM

Thanks so much for your help.

So I should do the things in post #21 and also install the patch in post #1?

I downloaded the patch listed in post #1 - xc4_xp_no_force_ssl3.diff, and then uploaded it to my shop root directory, but when I go to patch/upgrade in 4.4.5, it doesn't show up as available for patching.

cflsystems · #40 10-28-2014, 06:10 PM

The diff file will not show on that page, use the section for applying patches o that same page and specify the file