SSL > TLS Transition Issues

[imusorka]

The following errors have started appearing on the backend following our transition to the latest version of TLS to comply with the newest PCI requirements.

 

----------------------------------------------------------------------------------------------------------------------------------------

Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

Warning: Cannot modify header information - headers already sent

----------------------------------------------------------------------------------------------------------------------------------------

 

Our host is suggesting the following.

 

----------------------------------------------------------------------------------------------------------------------------------------

The handshake error message suggests that there are problems in your site's source. A good place to start looking is places where ssl:// was used. Disabling SSLv3 will have broken those, and they should be replaced with tls://.

----------------------------------------------------------------------------------------------------------------------------------------

 

How do we modify the code to line up with TLS?

[imusorka]

Surely I am not the only one experiencing this issue, am I? Is this something to do with the following line in configure.php since TLS is enabled in place of SSL? Where do I look? How does it have to be changed to play nicely with the new server configuration? We are transitioning to TLS 1.2.

define('ENABLE_SSL', true); // secure webserver for checkout procedure?

[imusorka]

So we have found out that osCommerce tries to use SSLv3 (see below) but since all but TLS 1.2 have been disabled on our server, this causes the aforementioned issues. Could anyone please explain what code modifications are required in order for osCommerce to use TLS 1.2?

 

Warning: stream_socket_enable_crypto(): SSL operation failed with code 1.
OpenSSL Error messages: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert
handshake failure

[♥John W]

The only place I know that SSL version or TLS version would be set is in some of the payment modules.  SSLv3  was discontinued almost a year ago due to the Poodle vulnerability.  Is this happening any time you try to go to ssl or only certain steps?  Give more data as in where exactly this occurs.  You can also try googling "sslv3 handshake failure" 

[imusorka]

It occurs at checkout confirmation and whenever an order's status is changed on the back-end. The latter suggests that this issue is not limited to a payment module only. In addition, osCommerce stopped sending out automatic email confirmations following our mail server's upgrade to TLS 1.2.

[♥John W]

Search all your files for "CURLOPT_SSLVERSION"

That is the only thing I can think of that will be setting an ssl version. It's a Curl setting.  For instance a line using it that sets Curl to use SSLv3 would look like below.  If you find a line like this comment it out and report back if that solves it. 

        curl_setopt($curl, CURLOPT_SSLVERSION, 3);

[♥John W]

Did you get this fixed?  I thought about when you said it's occuring and it seems like it may be tired to sending email if it occurs when you change order status on the backend.  Try updating an order without notifying the customer and see if you get that.  Hopefully, you are only connecting to your admin side with SSL.

 

What version of OSC are you using?

[imusorka]

There is no CURLOPT_SSLVERSION in any of the files. We are running 2.3.4 BS. It does seem like the error only pops up when osC is trying to send mail (order status in admin and order confirmation upon checkout).

[imusorka]

The following code is the culprit. Could anyone please suggest how it should be changed to accommodate the TLS 1.2 configuration?

    /**
     * Initiate a TLS (encrypted) session.
     * @[member=access] public
     * @[member=Return] boolean
     */
    public function startTLS()
    {
        if (!$this->sendCommand('STARTTLS', 'STARTTLS', 220)) {
            return false;
        }
        // Begin encrypted connection
        if (!stream_socket_enable_crypto(
            $this->smtp_conn,
            true,
            STREAM_CRYPTO_METHOD_TLS_CLIENT
        )) {
            return false;
        }
        return true;
    }

[♥John W]

I'm pretty sure that is not standard OSC code.  What file is that?

[imusorka]

You are absolutely right. We didn't realize it was part of PHPMailer, which had been installed because osC could not send mail any other way. Now that security on the server has been tightened, PHPMailer does not work either. The offending code is found in /includes/classes/class.smtp.php

[burt]

I imagine you have some phpmailer addon that someone made and uploaded to the addons area.   If yes, update to the latest PHPmailer fileset;

 

https://github.com/PHPMailer/PHPMailer

 

At least then you have a known good base off which to work.

 

If all else fails, farm out your email system to an external system such as Mandrill.