Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

BrockleyJohn

TLS1.2 again

Recommended Posts

It's a bit of a strange one, this and I could do with some bright ideas to try out.

As we know, everywhere including Paypal is updating their security protocols. For Paypal the sandbox endpoints have already been updated and the live ones will cut off support for TLS below 1.2 in a few months.

The latest version of the app has a very handy button for testing against tlstest.paypal.com which will tell you if the server is running the necessary protocol versions.

On the site I'm working with, the tests run fine (see image) and yet it fails to fetch the balance from PP sandbox with the error

error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

which indicates that the TLS version is below 1.2.

The PP setting is to force TLS1.2 (even though the test indicates that the default setting should work) and I have checked that in the balance call the curl ssl version is getting set to 6 (force TLS1.2).

Full debug of call:

   "rpcStatus":-1,
   "rpcResponse":{
      "response":false,
      "ssl version":6,
      "error":"error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure",
      "info":{
         "url":"https:\/\/api-3t.sandbox.paypal.com\/nvp",
         "content_type":null,
         "http_code":0,
         "header_size":0,
         "request_size":0,
         "filetime":-1,
         "ssl_verify_result":0,
         "redirect_count":0,
         "total_time":0.07172,
         "namelookup_time":0.014239,
         "connect_time":0.07175,
         "pretransfer_time":0,
         "size_upload":0,
         "size_download":0,
         "speed_download":0,
         "speed_upload":0,
         "download_content_length":-1,
         "upload_content_length":-1,
         "starttransfer_time":0,
         "redirect_time":0,
         "certinfo":[

         ],
         "redirect_url":""
      }
   }
}

So now ... ???

ssl_test.jpg


Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released.

Looking for a payment or shipping module? Maybe I've already done it.

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post


Link to post
Share on other sites

curious

If I test my site with the button in the oscommerce app I get 2 fails with forced or not

however balance retrieval etc all works

However if I make tests direct with PayPal for TLS 1.2 etc all is fine

using

$ch = curl_init();  curl_setopt($ch, CURLOPT_URL, "https://tlstest.paypal.com/");  var_dump(curl_exec($ch)); // or for more info var_dump(curl_error($ch));

 

So I don't know what to believe?

<?php

// Test from PayPal 
echo 'Test if the TLS version is compatible with PayPal:<br/>';
$ch = curl_init(); 
curl_setopt($ch, CURLOPT_URL, "https://tlstest.paypal.com/"); 
echo '&nbsp;curl_exec($ch): ';
var_dump(curl_exec($ch));
echo '<br/>&nbsp;curl_error($ch): ';
var_dump(curl_error($ch));
curl_close($ch);

// Test from https://github.com/paypal/adaptivepayments-sdk-php/issues/64
echo '<br/><br/>Another test, get TLS & SSL Version:<br/>';
$ch = curl_init('https://www.howsmyssl.com/a/check');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$data = curl_exec($ch);
$json = json_decode($data);
echo ' TLS Version: ';
echo $json->tls_version;

$curl_info = curl_version();
echo '<br/> SSL Version: ';
echo $curl_info['ssl_version'];
curl_close($ch);

?>

Another test above which my site passes

So I am wondering if the test from inside the App is not working as expected... 

Edited by douglaswalker

Share this post


Link to post
Share on other sites

Thanks, Doug. I had already tried an independent check against tlstest.paypal.com using code from here: https://github.com/paypal/TLS-update

which tested successfully, and began incorporating a test into the app before I found it already done in the app updates on the server.

I am beginning to suspect that the tlstest environment and paypal sandbox may not have identical requirements, so am working through some other ideas.

First, I tried forcing HTTP1.1 - no effect.

I am now working on building a subset of the ciphers available on the server that support TLS1.2 so that I can set CURLOPT_SSL_CIPHER_LIST appropriately.

If that fails, I guess I'll have to try a certificate in the call, unless someone has a better idea.


Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released.

Looking for a payment or shipping module? Maybe I've already done it.

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post


Link to post
Share on other sites
1 hour ago, douglaswalker said:

Do you have any idea why the in app test and the independent test give different results on my server?

@douglaswalker not yet, but I'm hoping to understand... my guess is that the two paypal endpoints aren't identical


Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released.

Looking for a payment or shipping module? Maybe I've already done it.

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post


Link to post
Share on other sites

Did you get any further with this.

I am still puzzled why independent tests say ok on my live site but the button within the app says no.

To further confuse on another server running the same setup and the same version of the app I get an all clear.

weird

Share this post


Link to post
Share on other sites

@douglaswalker yes and no. I also think I missed something in your posts before. If you get a fail and a pass from the Paypal app, that means your server supports TLS1.2 but doesn't use it by default so it must be forced. There is now a setting in the app to force TLS1.2 which presumably you have set. Your independent code does not force TLS1.2 so fails. If you add the option

			curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'TLSv1');

before your independent test curl_exec it should succeed.

What I have learnt further is:

  • the urls in Paypal sandbox and tlstest are not identical despite what pp say. I ran them on https://www.ssllabs.com/ssltest/ and found that the cipher suites available are different and their priorities are different - with more secure ciphers available on tlstest and with higher priority than the insecure ones, while there are fewer secure on sandbox and there are insecure ones with higher priority. However, I think this is more likely to lead to successful calls against tlstest that fail against sandbox than the other way round.
  • an empty call to tlstest.paypal.com only tests if TLS1.2 is available by default or on demand. It's not a sufficient test of the whole secure handshake. Specifically, it has no data so it only does the first bit of the handshake where they agree on what protocol they are speaking. It doesn't get as far as agreeing the encryption and understanding what each other are saying. I tried adding extra data to the call to tlstest but that alone doesn't make it fail (perhaps the other end needs to try and read it?).
  • so the tests in the app go as far as possible with the tools that Paypal have offered to check whether the app can function in that environment but they don't prove it can - only the real calls can do that

Hosting support for the site I've been working on eventually responded that the server does not have ciphers available for TLS1.2 so we're working to move it.

This stuff is all to do with how the server is set up, what is available and in what order of priority so it's not at all surprising that your code gets different results on different servers.


Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released.

Looking for a payment or shipping module? Maybe I've already done it.

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post


Link to post
Share on other sites

Interesting

mine fails in the in app test either forced or not..

but the server does use 1.2 and succeeds on any other tests.

 

 

Share this post


Link to post
Share on other sites

I needed to add

DigiCert High Assurance EV Root CA
=======================================================
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm
+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW
PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM
xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB
Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3
hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg
EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA
FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec
nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z
eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
+OkuE6N36B9K
-----END CERTIFICATE-----

DigiCert Global Root G2 (SHA-256)
=======================================================
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
MrY=
-----END CERTIFICATE-----

to the end of the paypal cert in 

ext/modules/payment/paypal

Now all validates 

Share this post


Link to post
Share on other sites

Is that the root certificate for paypals (or yours)?


Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released.

Looking for a payment or shipping module? Maybe I've already done it.

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post


Link to post
Share on other sites

@BrockleyJohn @Harald Ponce de Leon The issue is at ext/modules/payment/paypal/paypal.com.crt it's out of date and should be updated.

You will need to ensure that your environment supports the use of the SHA-256 signing algorithm and discontinue the use of SSL connections that rely on the VeriSign G2 Root Certificate.

To fix the issue of TLS v1.2 get a updated version here http://curl.haxx.se/ca/cacert.pem or use this from PayPal https://raw.githubusercontent.com/paypal/TLS-update/master/php/cacert.pem

The addon should be updated also with PHP 7 compatibility (it's just warnings but anyways..) it uses old deprecated constructors instead  __construct()

Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; OSCOM_PayPal_LOGIN has a deprecated constructor in /home/website/public_html/includes/apps/paypal/modules/LOGIN/LOGIN.php on line 13
Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; OSCOM_PayPal_HS has a deprecated constructor in /home/website/public_html/includes/apps/paypal/modules/HS/HS.php on line 13
Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; OSCOM_PayPal_EC has a deprecated constructor in /home/website/public_html/includes/apps/paypal/modules/EC/EC.php on line 13
Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; OSCOM_PayPal_DP has a deprecated constructor in /home/website/public_html/includes/apps/paypal/modules/DP/DP.php on line 13
Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; OSCOM_PayPal_PS has a deprecated constructor in /home/website/public_html/includes/apps/paypal/modules/PS/PS.php on line 13

 

Share this post


Link to post
Share on other sites
11 hours ago, Philo2005 said:

How do I install/update this file cacert.pem ?

If I remember right, you've installed a download of CE Phoenix, in which case you already have this file.

If you are just asking because you're getting a fail in the SSL test in the paypal app admin settings, don't worry about it. The SSL test doesn't work any more for anyone and a fail doesn't give you any information about your store.


Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released.

Looking for a payment or shipping module? Maybe I've already done it.

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post


Link to post
Share on other sites
3 hours ago, BrockleyJohn said:

If I remember right, you've installed a download of CE Phoenix, in which case you already have this file.

If you are just asking because you're getting a fail in the SSL test in the paypal app admin settings, don't worry about it. The SSL test doesn't work any more for anyone and a fail doesn't give you any information about your store.

Yes I did install CE Phoenix … Yes the SSL test failed, so I dont have to worry anymore … 
It just confuses me, why this is still implemented.

Share this post


Link to post
Share on other sites

Hi all, i have problem with paypal. Please see this : -

cURL Version: 7.70.0
cURL SSL Version: OpenSSL/1.1.1g

Default Setting: Failed
TLS v1.2: Failed

A connection to PayPal could not be made using TLS v1.2. Please consult with your hosting provider to upgrade the cURL version that is installed with your PHP web server to support TLS v1.2 connections.

This must be performed by June 30, 2017 otherwise connections will continue to fail.

I thought it was the TLS V1.1 that caused this problem but no, it wasnt it. Thus i contacted my host surpass hosting and got their reply: -

[Hello,

Both the base OS installation of OpenSSL (1.0.1e) as well as the OpenSSL installation that the webserver utilizes (1.1.1g) support TLSv1.2. I have verified that support for TLSv1.2 is enabled in both the webserver as well as in the cURL extension provided for PHP 7.3 (the PHP version that oscommerce.huphengwoodworks.com.sg is currently using).

The screenshot you've provided from SSLLabs does not seem to suggest a lack of support for TLSv1.2, but rather is just a warning that TLSv1.1 is enabled in the webserver. As TLSv1.1 is aging some online SSL checkers have begun recommending disabling it, however it remains enabled in this case to retain compatibiity with older clients.

I would recommend reviewing the configuration for your website in order to ensure there is not any interfering problem as well as reviewing the documentation for PHP's cURL extension in order to ensure that there is not any additional settings needed for it to work with TLSv1.2 in the context of your site.
Regards]

Now i am lost ... i dont know where to go to fix it now.

Can any kind souls please help?

Thanks.

 

** oscommerce phoenix 1.0.7.1

** paypal express checkout 5.018

** api version 204

Edited by sickaporean

Share this post


Link to post
Share on other sites

Does your PayPal work as expected and does it capture payments, complete the order correctly and the funds appear in your PP account? If so, forget that error. That test will fail on ALL sites now and is not required.

However you still need TLS v 1.2


Live shop Phoenix 1.0.8.4 on PHP 7.4 Working my way up the versions.

Share this post


Link to post
Share on other sites

mhsuffolk,

The older version of paypal worked. Older means downloaded using my cpanel.

Now using phoenix, it dun work. When i hit the test connection, it gives me those errors.

So, i am stucked! where to enter my credentials? Oh gosh.

 

Tahnks.

 

Edited by sickaporean

Share this post


Link to post
Share on other sites
18 minutes ago, sickaporean said:

When i hit the test connection, it gives me those errors.

That doesn't tell you anything. A working paypal installation also displays those errors. That is because paypal has withdrawn the test servers it is trying to contact so the tests fail for every site.


Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released.

Looking for a payment or shipping module? Maybe I've already done it.

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×