Follow us on Twitter X-Cart on Facebook Wiki
Shopping cart software Solutions for online shops and malls

POODLE vulnerability in SSLv3
 
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions
 
Thread Tools
  #31  
Old 10-22-2014, 01:04 AM
 
DanUK DanUK is offline
 

X-Adept
  
Join Date: Dec 2003
Location: UK
Posts: 796
 

Default Re: POODLE vulnerability in SSLv3

OK, our hosts says they turned off SSLv3 on our server and the https://www.ssllabs.com/ssltest/ says we are not vulnerable to it.

Luckily we are still taking orders, no one has complained about inaccessible https pages over the past few days and https *appears* to be working ok. The only exception is one machine running Internet Explorer 11 where https pages give a 'page cannnot be displayed' and asks the user to change the settings to allow TLS etc This has got me a little worried although the same version IE on the other machines in the office are OK. I thought it was only earlier versions of IE that are affected?

Also, if it is disabled on the server do I also need to run the patch for my stores if everything is working ok?

Thanks
__________________
4.4.2

and

4.6.1
Reply With Quote
  #32  
Old 10-25-2014, 10:45 AM
  cherie's Avatar 
cherie cherie is online now
 

X-Wizard
  
Join Date: May 2003
Location: USA
Posts: 1,532
 

Default Re: POODLE vulnerability in SSLv3

This is a bigger issue with X-Cart than just X-Payments though another thread was told to look here. For example, 4.3.2 and Authorize.net AIM now fails since Authorize.net turned off SSLv3 support. cflsystems' recommendation to disable SSLv3 is the generic fix but I'm surprised there hasn't been an official patch for some older versions of X-Cart, at least 4.3 and 4.4, and this thread should be moved to an appropriate area.

EDIT: The example of 4.3.2 and Authorize.net is incorrect. This setup appears to still be working fine.
__________________
redlimeweb.com
custom mods and design integration
4.7 linux
Reply With Quote

The following user thanks cherie for this useful post:
manningbrothers (10-28-2014)
  #33  
Old 10-25-2014, 01:58 PM
 
Chris B Chris B is offline
 

eXpert
  
Join Date: Oct 2002
Posts: 226
 

Default Re: POODLE vulnerability in SSLv3

Obviously, after turning off SSL3 on the server we no longer had the ability to enter credit card information within the checkout process.

We then patched our x-cart Version 4.5.5 using X-PAYMENTS v.1.0.2 manually by:

1.) removing the line of code

curl_setopt($ch, CURLOPT_SSLVERSION, 3);

from

modules/XPayments_Connector/xpc_func.php

We did not see the following line within our version of x-cart:

curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'DEFAULT');

So this step was bypassed.


2.) We then Removed

if ($use_ssl3)
curl_setopt ($ch, CURLOPT_SSLVERSION, 3);

from

func.https_X.php file

3.) As per x-cart tech support, we then made sure our servers were running cURL v 7.18.1 or newer.


That was all we did and everything is working fine once again.


I hope this helps someone else.
__________________
4.0x - 4.5x
Reply With Quote
  #34  
Old 10-26-2014, 06:40 AM
  tam10's Avatar 
tam10 tam10 is offline
 

eXpert
  
Join Date: Mar 2007
Posts: 252
 

Default Re: POODLE vulnerability in SSLv3

The hosts ​
​ disabled use of the SSLv3 protocol on hosting servers.​


​I do not use x-payment only the standard PayPal,
But on IE 11 can't place order (no https)
How do i fix it?

Thank you.

__________________
Tammy
x-cart gold + 4.7.2
x-cart 5.2.10

Reply With Quote
  #35  
Old 10-27-2014, 11:14 PM
  ambal's Avatar 
ambal ambal is offline
 

X-Cart team
  
Join Date: Sep 2002
Posts: 4,106
 

Default Re: POODLE vulnerability in SSLv3

Chris,

> ... using X-PAYMENTS v.1.0.2

Not sure if you know it but it is a very old X-Payments v1.x version and you should upgrade to 1.0.6 or 2.1.1
__________________
Sincerely yours,
Alex Mulin
VP of business development for X-Cart
X-Payments project manager
Reply With Quote
  #36  
Old 10-28-2014, 08:45 AM
 
manningbrothers manningbrothers is offline
 

Advanced Member
  
Join Date: Feb 2006
Posts: 52
 

Default Re: POODLE vulnerability in SSLv3

Quote:
Originally Posted by cherie
This is a bigger issue with X-Cart than just X-Payments though another thread was told to look here. For example, 4.3.2 and Authorize.net AIM now fails since Authorize.net turned off SSLv3 support. cflsystems' recommendation to disable SSLv3 is the generic fix but I'm surprised there hasn't been an official patch for some older versions of X-Cart, at least 4.3 and 4.4, and this thread should be moved to an appropriate area.

EDIT: The example of 4.3.2 and Authorize.net is incorrect. This setup appears to still be working fine.
I just got an email from Authorize.net stating that "on November 4, 2014, we will be disabling the use of SSLv3 within our systems. This means that if your website or shopping cart solution uses SSLv3 to send transactions to Authorize.Net, you will no longer be able to process transactions." We are using them on XC 4.3.2 and 4.4.2.. That explains why auth.net is still functioning for the moment, but what should we do before 11/4? Any help would be greatly appreciated.
__________________
X-Cart version 4.3.2, 4.4.2, Windows OS
Reply With Quote
  #37  
Old 10-28-2014, 04:50 PM
  moonslice's Avatar 
moonslice moonslice is offline
 

Senior Member
  
Join Date: May 2004
Posts: 123
 

Default Re: POODLE vulnerability in SSLv3

What about using x-cart 4.4.5 without x-payments - just a direct use of AuthorizeNet AIM under payment gateways? It looks like the second option only applies to x-payments - but will the patch in #1 work even without x-payments?

Quote:
What needs to be done:

1) X-Cart 4 users - apply Attachment 3956 patch to your X-Cart that will disable forced use of SSLv3 and enable automatic selection of TLS or SSL so if your hosting provider disabled SSLv3 support for your X-Payments installation your X-Cart will be able to connect with X-Payments using TLS.

Or you can download our new connectors for X-Cart 4 at
https://drive.google.com/a/x-cart.com/folderview?id=0B6p7sehSZL8_akhxR0VwQ0dta2M&usp=dri ve_web#list
__________________
Jim - X-cart Gold 4.4.5
Reply With Quote
  #38  
Old 10-28-2014, 05:43 PM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 13,615
 

Default Re: POODLE vulnerability in SSLv3

See post #21 above, I think but not sure if you get all of these that should be enough
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote
  #39  
Old 10-28-2014, 06:00 PM
  moonslice's Avatar 
moonslice moonslice is offline
 

Senior Member
  
Join Date: May 2004
Posts: 123
 

Default Re: POODLE vulnerability in SSLv3

Thanks so much for your help.

So I should do the things in post #21 and also install the patch in post #1?

I downloaded the patch listed in post #1 - xc4_xp_no_force_ssl3.diff, and then uploaded it to my shop root directory, but when I go to patch/upgrade in 4.4.5, it doesn't show up as available for patching.
__________________
Jim - X-cart Gold 4.4.5
Reply With Quote
  #40  
Old 10-28-2014, 06:10 PM
  cflsystems's Avatar 
cflsystems cflsystems is offline
 

Veteran
  
Join Date: Apr 2007
Posts: 13,615
 

Default Re: POODLE vulnerability in SSLv3

The diff file will not show on that page, use the section for applying patches o that same page and specify the file
__________________
Steve Stoyanov
CFLSystems.com
Web Development
Reply With Quote
Reply
   X-Cart forums > X-Payments > X-Payments issues & questions


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -8. The time now is 11:49 PM.

   

 
X-Cart forums © 2001-2018