BrockleyJohn Posted February 28, 2018 Share Posted February 28, 2018 It's a bit of a strange one, this and I could do with some bright ideas to try out. As we know, everywhere including Paypal is updating their security protocols. For Paypal the sandbox endpoints have already been updated and the live ones will cut off support for TLS below 1.2 in a few months. The latest version of the app has a very handy button for testing against tlstest.paypal.com which will tell you if the server is running the necessary protocol versions. On the site I'm working with, the tests run fine (see image) and yet it fails to fetch the balance from PP sandbox with the error error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure which indicates that the TLS version is below 1.2. The PP setting is to force TLS1.2 (even though the test indicates that the default setting should work) and I have checked that in the balance call the curl ssl version is getting set to 6 (force TLS1.2). Full debug of call: "rpcStatus":-1, "rpcResponse":{ "response":false, "ssl version":6, "error":"error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure", "info":{ "url":"https:\/\/api-3t.sandbox.paypal.com\/nvp", "content_type":null, "http_code":0, "header_size":0, "request_size":0, "filetime":-1, "ssl_verify_result":0, "redirect_count":0, "total_time":0.07172, "namelookup_time":0.014239, "connect_time":0.07175, "pretransfer_time":0, "size_upload":0, "size_download":0, "speed_download":0, "speed_upload":0, "download_content_length":-1, "upload_content_length":-1, "starttransfer_time":0, "redirect_time":0, "certinfo":[ ], "redirect_url":"" } } } So now ... ??? Quote Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released. Looking for a payment or shipping module? Maybe I've already done it. Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x Link to comment Share on other sites More sharing options...
douglaswalker Posted March 1, 2018 Share Posted March 1, 2018 (edited) curious If I test my site with the button in the oscommerce app I get 2 fails with forced or not however balance retrieval etc all works However if I make tests direct with PayPal for TLS 1.2 etc all is fine using $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://tlstest.paypal.com/"); var_dump(curl_exec($ch)); // or for more info var_dump(curl_error($ch)); So I don't know what to believe? <?php // Test from PayPal echo 'Test if the TLS version is compatible with PayPal:<br/>'; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://tlstest.paypal.com/"); echo ' curl_exec($ch): '; var_dump(curl_exec($ch)); echo '<br/> curl_error($ch): '; var_dump(curl_error($ch)); curl_close($ch); // Test from https://github.com/paypal/adaptivepayments-sdk-php/issues/64 echo '<br/><br/>Another test, get TLS & SSL Version:<br/>'; $ch = curl_init('https://www.howsmyssl.com/a/check'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $data = curl_exec($ch); $json = json_decode($data); echo ' TLS Version: '; echo $json->tls_version; $curl_info = curl_version(); echo '<br/> SSL Version: '; echo $curl_info['ssl_version']; curl_close($ch); ?> Another test above which my site passes So I am wondering if the test from inside the App is not working as expected... Edited March 1, 2018 by douglaswalker Quote Link to comment Share on other sites More sharing options...
douglaswalker Posted March 1, 2018 Share Posted March 1, 2018 Looking further the test inside the oscommerce PayPal app is testing against the same url https://tlstest.paypal.com as the test above. One fails one passes on the same server. Any thoughts? Quote Link to comment Share on other sites More sharing options...
BrockleyJohn Posted March 1, 2018 Author Share Posted March 1, 2018 Thanks, Doug. I had already tried an independent check against tlstest.paypal.com using code from here: https://github.com/paypal/TLS-update which tested successfully, and began incorporating a test into the app before I found it already done in the app updates on the server. I am beginning to suspect that the tlstest environment and paypal sandbox may not have identical requirements, so am working through some other ideas. First, I tried forcing HTTP1.1 - no effect. I am now working on building a subset of the ciphers available on the server that support TLS1.2 so that I can set CURLOPT_SSL_CIPHER_LIST appropriately. If that fails, I guess I'll have to try a certificate in the call, unless someone has a better idea. Quote Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released. Looking for a payment or shipping module? Maybe I've already done it. Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x Link to comment Share on other sites More sharing options...
douglaswalker Posted March 1, 2018 Share Posted March 1, 2018 Do you have any idea why the in app test and the independent test give different results on my server? Quote Link to comment Share on other sites More sharing options...
BrockleyJohn Posted March 1, 2018 Author Share Posted March 1, 2018 1 hour ago, douglaswalker said: Do you have any idea why the in app test and the independent test give different results on my server? @douglaswalker not yet, but I'm hoping to understand... my guess is that the two paypal endpoints aren't identical Quote Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released. Looking for a payment or shipping module? Maybe I've already done it. Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x Link to comment Share on other sites More sharing options...
douglaswalker Posted March 14, 2018 Share Posted March 14, 2018 Did you get any further with this. I am still puzzled why independent tests say ok on my live site but the button within the app says no. To further confuse on another server running the same setup and the same version of the app I get an all clear. weird Quote Link to comment Share on other sites More sharing options...
BrockleyJohn Posted March 14, 2018 Author Share Posted March 14, 2018 @douglaswalker yes and no. I also think I missed something in your posts before. If you get a fail and a pass from the Paypal app, that means your server supports TLS1.2 but doesn't use it by default so it must be forced. There is now a setting in the app to force TLS1.2 which presumably you have set. Your independent code does not force TLS1.2 so fails. If you add the option curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'TLSv1'); before your independent test curl_exec it should succeed. What I have learnt further is: the urls in Paypal sandbox and tlstest are not identical despite what pp say. I ran them on https://www.ssllabs.com/ssltest/ and found that the cipher suites available are different and their priorities are different - with more secure ciphers available on tlstest and with higher priority than the insecure ones, while there are fewer secure on sandbox and there are insecure ones with higher priority. However, I think this is more likely to lead to successful calls against tlstest that fail against sandbox than the other way round. an empty call to tlstest.paypal.com only tests if TLS1.2 is available by default or on demand. It's not a sufficient test of the whole secure handshake. Specifically, it has no data so it only does the first bit of the handshake where they agree on what protocol they are speaking. It doesn't get as far as agreeing the encryption and understanding what each other are saying. I tried adding extra data to the call to tlstest but that alone doesn't make it fail (perhaps the other end needs to try and read it?). so the tests in the app go as far as possible with the tools that Paypal have offered to check whether the app can function in that environment but they don't prove it can - only the real calls can do that Hosting support for the site I've been working on eventually responded that the server does not have ciphers available for TLS1.2 so we're working to move it. This stuff is all to do with how the server is set up, what is available and in what order of priority so it's not at all surprising that your code gets different results on different servers. Quote Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released. Looking for a payment or shipping module? Maybe I've already done it. Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x Link to comment Share on other sites More sharing options...
douglaswalker Posted March 14, 2018 Share Posted March 14, 2018 Interesting mine fails in the in app test either forced or not.. but the server does use 1.2 and succeeds on any other tests. Quote Link to comment Share on other sites More sharing options...
douglaswalker Posted April 4, 2018 Share Posted April 4, 2018 I needed to add DigiCert High Assurance EV Root CA ======================================================= -----BEGIN CERTIFICATE----- MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3 LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm +9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3 hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2 Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep +OkuE6N36B9K -----END CERTIFICATE----- DigiCert Global Root G2 (SHA-256) ======================================================= -----BEGIN CERTIFICATE----- MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG 9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI 2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx 1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV 5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY 1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4 NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91 8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl MrY= -----END CERTIFICATE----- to the end of the paypal cert in ext/modules/payment/paypal Now all validates Quote Link to comment Share on other sites More sharing options...
BrockleyJohn Posted April 5, 2018 Author Share Posted April 5, 2018 Is that the root certificate for paypals (or yours)? Quote Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released. Looking for a payment or shipping module? Maybe I've already done it. Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x Link to comment Share on other sites More sharing options...
douglaswalker Posted April 5, 2018 Share Posted April 5, 2018 Hi there that is the certificate in the PapPal app from ext/modules/payment/paypal/ separate from mine I got it from here and compared with mine https://raw.githubusercontent.com/paypal/TLS-update/master/php/cacert.pem This is the thread I read from toward the end Quote Link to comment Share on other sites More sharing options...
sinopia Posted April 5, 2018 Share Posted April 5, 2018 @BrockleyJohn @Harald Ponce de Leon The issue is at ext/modules/payment/paypal/paypal.com.crt it's out of date and should be updated. You will need to ensure that your environment supports the use of the SHA-256 signing algorithm and discontinue the use of SSL connections that rely on the VeriSign G2 Root Certificate. To fix the issue of TLS v1.2 get a updated version here http://curl.haxx.se/ca/cacert.pem or use this from PayPal https://raw.githubusercontent.com/paypal/TLS-update/master/php/cacert.pem The addon should be updated also with PHP 7 compatibility (it's just warnings but anyways..) it uses old deprecated constructors instead __construct() Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; OSCOM_PayPal_LOGIN has a deprecated constructor in /home/website/public_html/includes/apps/paypal/modules/LOGIN/LOGIN.php on line 13 Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; OSCOM_PayPal_HS has a deprecated constructor in /home/website/public_html/includes/apps/paypal/modules/HS/HS.php on line 13 Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; OSCOM_PayPal_EC has a deprecated constructor in /home/website/public_html/includes/apps/paypal/modules/EC/EC.php on line 13 Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; OSCOM_PayPal_DP has a deprecated constructor in /home/website/public_html/includes/apps/paypal/modules/DP/DP.php on line 13 Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; OSCOM_PayPal_PS has a deprecated constructor in /home/website/public_html/includes/apps/paypal/modules/PS/PS.php on line 13 altoid 1 Quote Link to comment Share on other sites More sharing options...
Philo2005 Posted September 30, 2019 Share Posted September 30, 2019 How do I install/update this file cacert.pem ? Quote Link to comment Share on other sites More sharing options...
BrockleyJohn Posted October 1, 2019 Author Share Posted October 1, 2019 11 hours ago, Philo2005 said: How do I install/update this file cacert.pem ? If I remember right, you've installed a download of CE Phoenix, in which case you already have this file. If you are just asking because you're getting a fail in the SSL test in the paypal app admin settings, don't worry about it. The SSL test doesn't work any more for anyone and a fail doesn't give you any information about your store. Quote Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released. Looking for a payment or shipping module? Maybe I've already done it. Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x Link to comment Share on other sites More sharing options...
Philo2005 Posted October 1, 2019 Share Posted October 1, 2019 3 hours ago, BrockleyJohn said: If I remember right, you've installed a download of CE Phoenix, in which case you already have this file. If you are just asking because you're getting a fail in the SSL test in the paypal app admin settings, don't worry about it. The SSL test doesn't work any more for anyone and a fail doesn't give you any information about your store. Yes I did install CE Phoenix … Yes the SSL test failed, so I dont have to worry anymore … It just confuses me, why this is still implemented. Quote Link to comment Share on other sites More sharing options...
sickaporean Posted June 2, 2020 Share Posted June 2, 2020 (edited) Hi all, i have problem with paypal. Please see this : - cURL Version: 7.70.0 cURL SSL Version: OpenSSL/1.1.1g Default Setting: Failed TLS v1.2: Failed A connection to PayPal could not be made using TLS v1.2. Please consult with your hosting provider to upgrade the cURL version that is installed with your PHP web server to support TLS v1.2 connections. This must be performed by June 30, 2017 otherwise connections will continue to fail. I thought it was the TLS V1.1 that caused this problem but no, it wasnt it. Thus i contacted my host surpass hosting and got their reply: - [Hello, Both the base OS installation of OpenSSL (1.0.1e) as well as the OpenSSL installation that the webserver utilizes (1.1.1g) support TLSv1.2. I have verified that support for TLSv1.2 is enabled in both the webserver as well as in the cURL extension provided for PHP 7.3 (the PHP version that oscommerce.huphengwoodworks.com.sg is currently using). The screenshot you've provided from SSLLabs does not seem to suggest a lack of support for TLSv1.2, but rather is just a warning that TLSv1.1 is enabled in the webserver. As TLSv1.1 is aging some online SSL checkers have begun recommending disabling it, however it remains enabled in this case to retain compatibiity with older clients. I would recommend reviewing the configuration for your website in order to ensure there is not any interfering problem as well as reviewing the documentation for PHP's cURL extension in order to ensure that there is not any additional settings needed for it to work with TLSv1.2 in the context of your site. Regards] Now i am lost ... i dont know where to go to fix it now. Can any kind souls please help? Thanks. ** oscommerce phoenix 1.0.7.1 ** paypal express checkout 5.018 ** api version 204 Edited June 2, 2020 by sickaporean Quote Link to comment Share on other sites More sharing options...
mhsuffolk Posted June 2, 2020 Share Posted June 2, 2020 Does your PayPal work as expected and does it capture payments, complete the order correctly and the funds appear in your PP account? If so, forget that error. That test will fail on ALL sites now and is not required. However you still need TLS v 1.2 Quote Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions. Link to comment Share on other sites More sharing options...
sickaporean Posted June 2, 2020 Share Posted June 2, 2020 (edited) mhsuffolk, The older version of paypal worked. Older means downloaded using my cpanel. Now using phoenix, it dun work. When i hit the test connection, it gives me those errors. So, i am stucked! where to enter my credentials? Oh gosh. Tahnks. Edited June 2, 2020 by sickaporean Quote Link to comment Share on other sites More sharing options...
BrockleyJohn Posted June 2, 2020 Author Share Posted June 2, 2020 18 minutes ago, sickaporean said: When i hit the test connection, it gives me those errors. That doesn't tell you anything. A working paypal installation also displays those errors. That is because paypal has withdrawn the test servers it is trying to contact so the tests fail for every site. Quote Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released. Looking for a payment or shipping module? Maybe I've already done it. Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x Link to comment Share on other sites More sharing options...
sickaporean Posted June 2, 2020 Share Posted June 2, 2020 BrockleyJohn, Dun understand why if not meant to work... So how to install a workable paypal for phoenix oscommerce then? I am newbie ... Thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.