Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

POODLE vulnerability in SSLv3

 
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions
 
Thread Tools
  #101  
Old 11-07-2014, 06:53 AM
  Vacman's Avatar 
Vacman Vacman is offline
 

X-Adept
  
Join Date: Sep 2005
Location: Torrance, CA
Posts: 792
 

Default Re: POODLE vulnerability in SSLv3

I am running 4.6.3 with X-Pay 1.0.6.
bCURL 7.24.0
CURL executable curl 7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5

I applied the XC patches and verified they were working. Then tested the server and found that the vulnerability was indeed there. Called in a ticket to Hostgator who responded with this."I have updated your Apache configuration to disable ssl 2 and ssl 3. As for 1.2 TLs this is not avaiable for your server. As you are on CentOs 5.11."

Of course this ended up breaking my X-Payments 1.06.

So I contacted them again: "I have disabled the restrictions against SSLv2/3 that were put in place and confirmed the Xpayments page now works correctly. However, you will need to reach out to the XPayments developer for an update to support TLS only connections over HTTPS so that we can put the restrictions back in place for SSLv2/3."

I then checked out the X-Payemnts pactches list on the first page of this thread and in the instructions for the 4.6.3 patch is states that I need to be using Payments 2.1.1 (or newer) for the patch....

Is there a patch for the 1.0.6?
__________________
Carl Tice

X-Cart 4.6.6
X-Payments 3.0
ReBOOT 3.4.1

PHP 5.6.30
MySQL 5.6.35
Linux 2.6.32-042stab120.18
ionCube PHP Loader v4.7.3
Perl 5.10.1
Reply With Quote
  #102  
Old 11-10-2014, 12:37 AM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,115
 

Default Re: POODLE vulnerability in SSLv3

> Is there a patch for the 1.0.6?

There is no need to patch X-Payments. It just uses SSL layer provider by the server. If your hosting cannot enable and provide TLS correctly - I advise to use a better hosting provider for your X-Payments or use our hosted plan.
__________________
Sincerely yours,
Alex Mulin
VP of Business Development for X-Cart
X-Payments product manager
Reply With Quote
  #103  
Old 11-12-2014, 02:23 PM
 
gravel gravel is offline
 

Senior Member
  
Join Date: Mar 2004
Posts: 156
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by cflsystems
XC uses SSL 3 in these files as well

func.https_X.php

where X is libcurl, curl, openssl, ssleay

It is OFF by default but other code in XC may set it to true when used. Solution will be to find the line in the file that sets the option for SSL3 and comment it out for example in

func.https_libcurl.php there is this

PHP Code:
if ($use_ssl3)
        
curl_setopt ($chCURLOPT_SSLVERSION3); 

so just comment it out

PHP Code:
//   if ($use_ssl3)
       // curl_setopt ($ch, CURLOPT_SSLVERSION, 3); 

This is untested so make sure you do some test orders if changing it

QT can we get clarification on this and a patch for XC if possible

In ....ssleay.php does this line need modification, and if so, what?

Code:
$execline .= " $ui[host] $ui[port] " . ($use_ssl3 ? '1' : '0') . ' ' . func_shellquote($cert) . ' ' . func_shellquote($kcert) . ' < ' . func_shellquote($tmpfile) . ' 2>' . func_shellquote($ignorefile);

Thanks.
__________________
X-Cart version 4.0.17
X-Cart version 4.0.18
Web servers = Apache
OS = Linux
Reply With Quote
  #104  
Old 11-12-2014, 07:32 PM
 
aim aim is offline
Advanced Staff Users
 

X-Cart team
  
Join Date: Dec 2008
Posts: 928
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by gravel
In ....ssleay.php does this line need modification, and if so, what?

Code:
$execline .= " $ui[host] $ui[port] " . ($use_ssl3 ? '1' : '0') . ' ' . func_shellquote($cert) . ' ' . func_shellquote($kcert) . ' < ' . func_shellquote($tmpfile) . ' 2>' . func_shellquote($ignorefile);

Thanks.

Yes it does need small modification.

Please have a look on the
DIFF-xcart.diff file in the
remove_ssl3-2014-10-30{version}.tgz archive

http://forum.x-cart.com/showpost.php?p=379153&postcount=57
__________________
Sincerely yours,
Ildar Amankulov
Head of Maintenance group
Reply With Quote
  #105  
Old 11-13-2014, 07:09 AM
 
gravel gravel is offline
 

Senior Member
  
Join Date: Mar 2004
Posts: 156
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by aim
Yes it does need small modification.

Please have a look on the
DIFF-xcart.diff file in the
remove_ssl3-2014-10-30{version}.tgz archive

http://forum.x-cart.com/showpost.php?p=379153&postcount=57

Thanks. This is for 4.0.17, and I don't see any files in "Updates and patches" for that version. What version should I use?
__________________
X-Cart version 4.0.17
X-Cart version 4.0.18
Web servers = Apache
OS = Linux
Reply With Quote
  #106  
Old 11-13-2014, 07:14 AM
 
aim aim is offline
Advanced Staff Users
 

X-Cart team
  
Join Date: Dec 2008
Posts: 928
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by gravel
Thanks. This is for 4.0.17, and I don't see any files in "Updates and patches" for that version. What version should I use?


http://forum.x-cart.com/showpost.php?p=379153&postcount=57

Quote:
Originally Posted by
Ksenia
NOT affected: 4.2.1 and earlier ; 4.6.5 (the latest currently) ; all versions of X-Cart 5.x
__________________
Sincerely yours,
Ildar Amankulov
Head of Maintenance group
Reply With Quote
  #107  
Old 11-13-2014, 12:45 PM
 
gravel gravel is offline
 

Senior Member
  
Join Date: Mar 2004
Posts: 156
 

Default Re: POODLE vulnerability in SSLv3


One of our sites has been experiencing a UPS problem for some customers (but not all). Even thought it's a 4.0.17 site, commenting out if statements with "ssl3" fixed the problem. See http://forum.x-cart.com/showthread.php?t=70478.

So again, I ask, for the file func_https_ssleay.php, how do I modify this line which contains "ssl3":
Code:
$execline .= " $ui[host] $ui[port] " . ($use_ssl3 ? '1' : '0') . ' ' . func_shellquote($cert) . ' ' . func_shellquote($kcert) . ' < ' . func_shellquote($tmpfile) . ' 2>' . func_shellquote($ignorefile);
__________________
X-Cart version 4.0.17
X-Cart version 4.0.18
Web servers = Apache
OS = Linux
Reply With Quote
  #108  
Old 11-13-2014, 08:35 PM
 
aim aim is offline
Advanced Staff Users
 

X-Cart team
  
Join Date: Dec 2008
Posts: 928
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by gravel
One of our sites has been experiencing a UPS problem for some customers (but not all). Even thought it's a 4.0.17 site, commenting out if statements with "ssl3" fixed the problem. See http://forum.x-cart.com/showthread.php?t=70478.

So again, I ask, for the file func_https_ssleay.php, how do I modify this line which contains "ssl3":
Code:
$execline .= " $ui[host] $ui[port] " . ($use_ssl3 ? '1' : '0') . ' ' . func_shellquote($cert) . ' ' . func_shellquote($kcert) . ' < ' . func_shellquote($tmpfile) . ' 2>' . func_shellquote($ignorefile);


Sorry for the misunderstanding.

It seems your https modules have 4.2.x/4.3.x or 4.x.x versions.

In this case you have to apply the
remove_ssl3-2014-10-30.4.2.3.tgz
or
remove_ssl3-2014-10-30.4.3.2.tgz
or
remove_ssl3-2014-10-30.4.x.x.tgz
patches.

Regarding the netssleay module you have to apply this patch

Code:
Index: payment/netssleay.pl =================================================================== --- payment/netssleay.pl 2014-10-30 10:53:36.853370920 +0300 +++ payment/netssleay.pl 2014-10-30 10:56:14.703370767 +0300 @@ -9,15 +9,16 @@ if ($#ARGV < 1) { print <<EOF; - Usage: $0 host port use_ssl3 [cert [keycert]] < requestfile + Usage: $0 host port use_tls [cert [keycert]] < requestfile EOF exit; } -($host, $port, $use_ssl3, $cert, $kcert) = @ARGV; +($host, $port, $use_tls, $cert, $kcert) = @ARGV; -if ($use_ssl3 == '1') { - $Net::SSLeay::ssl_version = 3; +if ($use_tls == '1') { + # http://search.cpan.org/~mikem/Net-SSLeay-1.66/lib/Net/SSLeay.pod#KNOWN_BUGS_AND_CAVEATS + $Net::SSLeay::ssl_version = 10; } $request = "";


You can skip the func.https_ssleay.php file modification.


By the way it seems the onlinetools.ups.com UPS server still supports SSL3 protocol.
https://www.ssllabs.com/ssltest/analyze.html?d=onlinetools.ups.com&s=153.2.228.76& hideResults=on
__________________
Sincerely yours,
Ildar Amankulov
Head of Maintenance group
Reply With Quote

The following user thanks aim for this useful post:
gravel (11-17-2014)
  #109  
Old 11-16-2014, 12:58 PM
 
Cameron Cameron is offline
 

eXpert
  
Join Date: Jan 2003
Location: Washington State, USA
Posts: 224
 

Default func.https_libcurl.php problems

I'm posting this for posterity, and in case it might help someone else who is on 4.4.2 or similar.

When running the .diff patch, it couldn't patch func.https_libcurl.php

When I just replaced my old file with the new one, it wasn't possible to add products to the cart or view the cart. Bad.

So I went through the .diff file line by line and found that the only way to make it work was to omit the change:

Code:
- curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 1); + curl_setopt ($ch, CURLOPT_SSL_VERIFYHOST, 2);

I also manually changed all instances of ssl3 to tls instead of doing a copy/paste and just changed the 3 to a 1 on the line for
Code:
curl_setopt ($ch, CURLOPT_SSLVERSION, 3);


I didn't bother pasting in the // http://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html CURL_SSLVERSION_TLSv1
part since it's just a comment.

That got us back up and running along with patching the other files (some of those I also had to do by hand b/c of problems with the .diff files not matching.)

Anyhow, I hope that helps someone else out there.
__________________
Current project: 4.4.2
Reply With Quote

The following 2 users thank Cameron for this useful post:
aim (11-17-2014), rct (03-10-2015)
  #110  
Old 11-17-2014, 07:04 AM
 
gravel gravel is offline
 

Senior Member
  
Join Date: Mar 2004
Posts: 156
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by aim
It seems your https modules have 4.2.x/4.3.x or 4.x.x versions.

In this case you have to apply the
remove_ssl3-2014-10-30.4.2.3.tgz
or
remove_ssl3-2014-10-30.4.3.2.tgz
or
remove_ssl3-2014-10-30.4.x.x.tgz
patches.
Thank you Ildar. We have 4.0.17 and 4.0.18 carts, and I can't find "4.x.x" patch files in my file area. I will try using the "4.2.3" files.

That's interesting about the UPS server. So far, though, we have had no further problems.
__________________
X-Cart version 4.0.17
X-Cart version 4.0.18
Web servers = Apache
OS = Linux
Reply With Quote

The following user thanks gravel for this useful post:
aim (11-17-2014)
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 04:41 AM.

   

 
X-Cart forums © 2001-2020