imusorka Posted October 1, 2015 Share Posted October 1, 2015 The following errors have started appearing on the backend following our transition to the latest version of TLS to comply with the newest PCI requirements. ---------------------------------------------------------------------------------------------------------------------------------------- Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failureWarning: Cannot modify header information - headers already sent ---------------------------------------------------------------------------------------------------------------------------------------- Our host is suggesting the following. ---------------------------------------------------------------------------------------------------------------------------------------- The handshake error message suggests that there are problems in your site's source. A good place to start looking is places where ssl:// was used. Disabling SSLv3 will have broken those, and they should be replaced with tls://. ---------------------------------------------------------------------------------------------------------------------------------------- How do we modify the code to line up with TLS? Link to comment Share on other sites More sharing options...
imusorka Posted October 5, 2015 Author Share Posted October 5, 2015 Surely I am not the only one experiencing this issue, am I? Is this something to do with the following line in configure.php since TLS is enabled in place of SSL? Where do I look? How does it have to be changed to play nicely with the new server configuration? We are transitioning to TLS 1.2. define('ENABLE_SSL', true); // secure webserver for checkout procedure? Link to comment Share on other sites More sharing options...
imusorka Posted October 5, 2015 Author Share Posted October 5, 2015 So we have found out that osCommerce tries to use SSLv3 (see below) but since all but TLS 1.2 have been disabled on our server, this causes the aforementioned issues. Could anyone please explain what code modifications are required in order for osCommerce to use TLS 1.2? Warning: stream_socket_enable_crypto(): SSL operation failed with code 1.OpenSSL Error messages: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alerthandshake failure Link to comment Share on other sites More sharing options...
♥John W Posted October 5, 2015 Share Posted October 5, 2015 The only place I know that SSL version or TLS version would be set is in some of the payment modules. SSLv3 was discontinued almost a year ago due to the Poodle vulnerability. Is this happening any time you try to go to ssl or only certain steps? Give more data as in where exactly this occurs. You can also try googling "sslv3 handshake failure" I'm not really a dog. Link to comment Share on other sites More sharing options...
imusorka Posted October 5, 2015 Author Share Posted October 5, 2015 It occurs at checkout confirmation and whenever an order's status is changed on the back-end. The latter suggests that this issue is not limited to a payment module only. In addition, osCommerce stopped sending out automatic email confirmations following our mail server's upgrade to TLS 1.2. Link to comment Share on other sites More sharing options...
♥John W Posted October 5, 2015 Share Posted October 5, 2015 Search all your files for "CURLOPT_SSLVERSION" That is the only thing I can think of that will be setting an ssl version. It's a Curl setting. For instance a line using it that sets Curl to use SSLv3 would look like below. If you find a line like this comment it out and report back if that solves it. curl_setopt($curl, CURLOPT_SSLVERSION, 3); I'm not really a dog. Link to comment Share on other sites More sharing options...
♥John W Posted October 6, 2015 Share Posted October 6, 2015 Did you get this fixed? I thought about when you said it's occuring and it seems like it may be tired to sending email if it occurs when you change order status on the backend. Try updating an order without notifying the customer and see if you get that. Hopefully, you are only connecting to your admin side with SSL. What version of OSC are you using? I'm not really a dog. Link to comment Share on other sites More sharing options...
imusorka Posted October 18, 2015 Author Share Posted October 18, 2015 There is no CURLOPT_SSLVERSION in any of the files. We are running 2.3.4 BS. It does seem like the error only pops up when osC is trying to send mail (order status in admin and order confirmation upon checkout). Link to comment Share on other sites More sharing options...
imusorka Posted October 25, 2015 Author Share Posted October 25, 2015 The following code is the culprit. Could anyone please suggest how it should be changed to accommodate the TLS 1.2 configuration? /** * Initiate a TLS (encrypted) session. * @[member=access] public * @[member=Return] boolean */ public function startTLS() { if (!$this->sendCommand('STARTTLS', 'STARTTLS', 220)) { return false; } // Begin encrypted connection if (!stream_socket_enable_crypto( $this->smtp_conn, true, STREAM_CRYPTO_METHOD_TLS_CLIENT )) { return false; } return true; } Link to comment Share on other sites More sharing options...
♥John W Posted October 25, 2015 Share Posted October 25, 2015 I'm pretty sure that is not standard OSC code. What file is that? I'm not really a dog. Link to comment Share on other sites More sharing options...
imusorka Posted October 26, 2015 Author Share Posted October 26, 2015 You are absolutely right. We didn't realize it was part of PHPMailer, which had been installed because osC could not send mail any other way. Now that security on the server has been tightened, PHPMailer does not work either. The offending code is found in /includes/classes/class.smtp.php Link to comment Share on other sites More sharing options...
burt Posted October 26, 2015 Share Posted October 26, 2015 I imagine you have some phpmailer addon that someone made and uploaded to the addons area. If yes, update to the latest PHPmailer fileset; https://github.com/PHPMailer/PHPMailer At least then you have a known good base off which to work. If all else fails, farm out your email system to an external system such as Mandrill. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.