Jump to content


This topic is now archived and is closed to further replies.


Heartbleed bug + 2012 fix applied in Paypal Checkout Confirmation

Recommended Posts

Just a thought, due to the recent Heartbleed Bug it may be wise, for those that applied the excellent 2012 fix provided by @@Mort-lemur in this thread regarding paypal checkout confirmation, to update their OpenSSL certificate.


However I read that the OpenSSL 0.9.8 branch, which was used in the fix provided by Heather, should NOT be vulnerable.


I don't know if paypal checkout confirmation is still an issue in the newest Osc version, but for older versions it might be useful to consider.



~ Don't mistake my kindness for weakness ~

Share this post

Link to post
Share on other sites

You can also Check your server for vulnerability with these tools: http://filippo.io/Heartbleed/ and http://possible.lv/tools/hb/

Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members.

Share this post

Link to post
Share on other sites

Please note that this is not an osCommerce bug, but is a bug in the server software being used by your host.


To check which version of OpenSSL is being used, go:


admin > tools > server info


This brings up a large page which has a lot of information about your site and server. Scroll down until you find: "SSL Version"


Here you will see the exact version installed on the server. As far as I am aware versions of OpenSSL from 1.0.1 to 1.0.1f (inclusive) are problematic. If your server info page reports you as using one of these, you need to contact your host to ascertain if it has been patched or not.

Help shape the future of Phoenix; join the Phoenix Club

Share this post

Link to post
Share on other sites

Just to expand on the above


What versions of the OpenSSL are affected?


Status of different versions:

  • OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable
  • OpenSSL 1.0.1g is NOT vulnerable
  • OpenSSL 1.0.0 branch is NOT vulnerable
  • OpenSSL 0.9.8 branch is NOT vulnerable

Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug.


On one of my sites it shows shows


OpenSSL Version  OpenSSL 1.0.0-fips 29 Mar 2010


So in this case it isnot using one of the vunerable versions so nothing to do.


If it was OpenSSL 1.0.1 through 1.0.1f (inclusive) I would be on the phone to my hosts.





Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile


Virus Threat Scanner

My Contributions

Basic install answers.

Click here for Contributions / Add Ons.

UK your site.

Site Move.

Basic design info.


For links mentioned in old answers that are no longer here follow this link Useful Threads.


If this post was useful, click the Like This button over there ======>>>>>.

Share this post

Link to post
Share on other sites