Jump to content
Latest News: (loading..)
BrockleyJohn

TLS1.2 again

Recommended Posts

It's a bit of a strange one, this and I could do with some bright ideas to try out.

As we know, everywhere including Paypal is updating their security protocols. For Paypal the sandbox endpoints have already been updated and the live ones will cut off support for TLS below 1.2 in a few months.

The latest version of the app has a very handy button for testing against tlstest.paypal.com which will tell you if the server is running the necessary protocol versions.

On the site I'm working with, the tests run fine (see image) and yet it fails to fetch the balance from PP sandbox with the error

error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

which indicates that the TLS version is below 1.2.

The PP setting is to force TLS1.2 (even though the test indicates that the default setting should work) and I have checked that in the balance call the curl ssl version is getting set to 6 (force TLS1.2).

Full debug of call:

   "rpcStatus":-1,
   "rpcResponse":{
      "response":false,
      "ssl version":6,
      "error":"error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure",
      "info":{
         "url":"https:\/\/api-3t.sandbox.paypal.com\/nvp",
         "content_type":null,
         "http_code":0,
         "header_size":0,
         "request_size":0,
         "filetime":-1,
         "ssl_verify_result":0,
         "redirect_count":0,
         "total_time":0.07172,
         "namelookup_time":0.014239,
         "connect_time":0.07175,
         "pretransfer_time":0,
         "size_upload":0,
         "size_download":0,
         "speed_download":0,
         "speed_upload":0,
         "download_content_length":-1,
         "upload_content_length":-1,
         "starttransfer_time":0,
         "redirect_time":0,
         "certinfo":[

         ],
         "redirect_url":""
      }
   }
}

So now ... ???

ssl_test.jpg


For a new install or if your store isn't mobile-friendly, get the community-supported responsive osCommerce (2.3.4.1 CE) here: https://github.com/gburton/osCommerce-234-bootstrap/archive/master.zip

For Github users:

2.3.4.1 CE with bugfixes here: https://github.com/osComma/Responsive-osCommerce/tree/defrosted

Bootstrap addons - one per branch - https://github.com/BrockleyJohn/Responsive-osCommerce/wiki/Overview-of-Branches

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post


Link to post
Share on other sites
Posted (edited)

curious

If I test my site with the button in the oscommerce app I get 2 fails with forced or not

however balance retrieval etc all works

However if I make tests direct with PayPal for TLS 1.2 etc all is fine

using

$ch = curl_init();  curl_setopt($ch, CURLOPT_URL, "https://tlstest.paypal.com/");  var_dump(curl_exec($ch)); // or for more info var_dump(curl_error($ch));

 

So I don't know what to believe?

<?php

// Test from PayPal 
echo 'Test if the TLS version is compatible with PayPal:<br/>';
$ch = curl_init(); 
curl_setopt($ch, CURLOPT_URL, "https://tlstest.paypal.com/"); 
echo '&nbsp;curl_exec($ch): ';
var_dump(curl_exec($ch));
echo '<br/>&nbsp;curl_error($ch): ';
var_dump(curl_error($ch));
curl_close($ch);

// Test from https://github.com/paypal/adaptivepayments-sdk-php/issues/64
echo '<br/><br/>Another test, get TLS & SSL Version:<br/>';
$ch = curl_init('https://www.howsmyssl.com/a/check');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$data = curl_exec($ch);
$json = json_decode($data);
echo ' TLS Version: ';
echo $json->tls_version;

$curl_info = curl_version();
echo '<br/> SSL Version: ';
echo $curl_info['ssl_version'];
curl_close($ch);

?>

Another test above which my site passes

So I am wondering if the test from inside the App is not working as expected... 

Edited by douglaswalker

Share this post


Link to post
Share on other sites

Thanks, Doug. I had already tried an independent check against tlstest.paypal.com using code from here: https://github.com/paypal/TLS-update

which tested successfully, and began incorporating a test into the app before I found it already done in the app updates on the server.

I am beginning to suspect that the tlstest environment and paypal sandbox may not have identical requirements, so am working through some other ideas.

First, I tried forcing HTTP1.1 - no effect.

I am now working on building a subset of the ciphers available on the server that support TLS1.2 so that I can set CURLOPT_SSL_CIPHER_LIST appropriately.

If that fails, I guess I'll have to try a certificate in the call, unless someone has a better idea.


For a new install or if your store isn't mobile-friendly, get the community-supported responsive osCommerce (2.3.4.1 CE) here: https://github.com/gburton/osCommerce-234-bootstrap/archive/master.zip

For Github users:

2.3.4.1 CE with bugfixes here: https://github.com/osComma/Responsive-osCommerce/tree/defrosted

Bootstrap addons - one per branch - https://github.com/BrockleyJohn/Responsive-osCommerce/wiki/Overview-of-Branches

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post


Link to post
Share on other sites
1 hour ago, douglaswalker said:

Do you have any idea why the in app test and the independent test give different results on my server?

@douglaswalker not yet, but I'm hoping to understand... my guess is that the two paypal endpoints aren't identical


For a new install or if your store isn't mobile-friendly, get the community-supported responsive osCommerce (2.3.4.1 CE) here: https://github.com/gburton/osCommerce-234-bootstrap/archive/master.zip

For Github users:

2.3.4.1 CE with bugfixes here: https://github.com/osComma/Responsive-osCommerce/tree/defrosted

Bootstrap addons - one per branch - https://github.com/BrockleyJohn/Responsive-osCommerce/wiki/Overview-of-Branches

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post


Link to post
Share on other sites

Did you get any further with this.

I am still puzzled why independent tests say ok on my live site but the button within the app says no.

To further confuse on another server running the same setup and the same version of the app I get an all clear.

weird

Share this post


Link to post
Share on other sites

@douglaswalker yes and no. I also think I missed something in your posts before. If you get a fail and a pass from the Paypal app, that means your server supports TLS1.2 but doesn't use it by default so it must be forced. There is now a setting in the app to force TLS1.2 which presumably you have set. Your independent code does not force TLS1.2 so fails. If you add the option

			curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'TLSv1');

before your independent test curl_exec it should succeed.

What I have learnt further is:

  • the urls in Paypal sandbox and tlstest are not identical despite what pp say. I ran them on https://www.ssllabs.com/ssltest/ and found that the cipher suites available are different and their priorities are different - with more secure ciphers available on tlstest and with higher priority than the insecure ones, while there are fewer secure on sandbox and there are insecure ones with higher priority. However, I think this is more likely to lead to successful calls against tlstest that fail against sandbox than the other way round.
  • an empty call to tlstest.paypal.com only tests if TLS1.2 is available by default or on demand. It's not a sufficient test of the whole secure handshake. Specifically, it has no data so it only does the first bit of the handshake where they agree on what protocol they are speaking. It doesn't get as far as agreeing the encryption and understanding what each other are saying. I tried adding extra data to the call to tlstest but that alone doesn't make it fail (perhaps the other end needs to try and read it?).
  • so the tests in the app go as far as possible with the tools that Paypal have offered to check whether the app can function in that environment but they don't prove it can - only the real calls can do that

Hosting support for the site I've been working on eventually responded that the server does not have ciphers available for TLS1.2 so we're working to move it.

This stuff is all to do with how the server is set up, what is available and in what order of priority so it's not at all surprising that your code gets different results on different servers.


For a new install or if your store isn't mobile-friendly, get the community-supported responsive osCommerce (2.3.4.1 CE) here: https://github.com/gburton/osCommerce-234-bootstrap/archive/master.zip

For Github users:

2.3.4.1 CE with bugfixes here: https://github.com/osComma/Responsive-osCommerce/tree/defrosted

Bootstrap addons - one per branch - https://github.com/BrockleyJohn/Responsive-osCommerce/wiki/Overview-of-Branches

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post


Link to post
Share on other sites

Interesting

mine fails in the in app test either forced or not..

but the server does use 1.2 and succeeds on any other tests.

 

 

Share this post


Link to post
Share on other sites

I needed to add

DigiCert High Assurance EV Root CA
=======================================================
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm
+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW
PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM
xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB
Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3
hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg
EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA
FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec
nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z
eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
+OkuE6N36B9K
-----END CERTIFICATE-----

DigiCert Global Root G2 (SHA-256)
=======================================================
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
MrY=
-----END CERTIFICATE-----

to the end of the paypal cert in 

ext/modules/payment/paypal

Now all validates 

Share this post


Link to post
Share on other sites

Is that the root certificate for paypals (or yours)?


For a new install or if your store isn't mobile-friendly, get the community-supported responsive osCommerce (2.3.4.1 CE) here: https://github.com/gburton/osCommerce-234-bootstrap/archive/master.zip

For Github users:

2.3.4.1 CE with bugfixes here: https://github.com/osComma/Responsive-osCommerce/tree/defrosted

Bootstrap addons - one per branch - https://github.com/BrockleyJohn/Responsive-osCommerce/wiki/Overview-of-Branches

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post


Link to post
Share on other sites

@BrockleyJohn @Harald Ponce de Leon The issue is at ext/modules/payment/paypal/paypal.com.crt it's out of date and should be updated.

You will need to ensure that your environment supports the use of the SHA-256 signing algorithm and discontinue the use of SSL connections that rely on the VeriSign G2 Root Certificate.

To fix the issue of TLS v1.2 get a updated version here http://curl.haxx.se/ca/cacert.pem or use this from PayPal https://raw.githubusercontent.com/paypal/TLS-update/master/php/cacert.pem

The addon should be updated also with PHP 7 compatibility (it's just warnings but anyways..) it uses old deprecated constructors instead  __construct()

Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; OSCOM_PayPal_LOGIN has a deprecated constructor in /home/website/public_html/includes/apps/paypal/modules/LOGIN/LOGIN.php on line 13
Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; OSCOM_PayPal_HS has a deprecated constructor in /home/website/public_html/includes/apps/paypal/modules/HS/HS.php on line 13
Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; OSCOM_PayPal_EC has a deprecated constructor in /home/website/public_html/includes/apps/paypal/modules/EC/EC.php on line 13
Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; OSCOM_PayPal_DP has a deprecated constructor in /home/website/public_html/includes/apps/paypal/modules/DP/DP.php on line 13
Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; OSCOM_PayPal_PS has a deprecated constructor in /home/website/public_html/includes/apps/paypal/modules/PS/PS.php on line 13

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×