Magento, Poodle and Paypal – Disable SSL v3 Before December 3rd

created November 27, 2014, last updated May 23, 2015.

.
closeThis post was last updated 7 years 9 months 26 days ago, some of the information contained here may no longer be actual and any referenced software versions may have been updated!

The so called Poodle security vulnerability was announced by Google last Month (October 14 2014).

The vulnerability effects SSL v3.0 a transport protocol which has been around for over 18 years and is used to secure various TCP/IP protocols the most common of which being HTTPS so it is present in a lot of client and server software.

The workaround fix to mitigate this vulnerability is to simply disable SSL v3 support and fallback (or upgrade) to using the newer TLS 1.x protocol.

The vulnerability seems to be a real cause for concern for a lot of companies especially Paypal who announced recently that the will disable SSL v3 support on the 3rd of December 2014.

How does this affect Magento

In respect to Paypal payments from your Magento store using either the Standard or the Express payment model Magento behaves like a client communicating with the Paypal API over SSL to complete the Payment / Checkout transaction.

When Paypal removes support for SSL v3 your Magento store will no longer be able to communicate with Paypal unless you disable the support for SSL v3.0

Simply put this means you will not be able to process any orders with the Paypal payment system. Not the best news at this time of year when many businesses are in the middle of their busiest time of year on the run up to Christmas.

HOW TO Fix Poodle for MAgento

Fortunately the fix is pretty straight forward and actually doesn’t really have anything to do with Magento at all but rather the configuration of your web server software on your Magento host.

First you need to determine if the host your Magento shop is running on is using the SSL v3 protocol.

If you have command line access to your host, login and run nmap with the following command :

nmap –script ssl-enum-ciphers -p 443 localhost

If your host is NOT vulnerable you will see

SSLv3: No supported ciphers found
If you don’t have command line access run an external scan from a reputable  site such as Symantec, The scan should clearly show you if your server supports SSL v3 or not.

How to Disable SSL v3 on Ubuntu Server

To upgrade to TLS 1.x and disable SSL v3 support on Ubuntu server, and many other servers running Apache locate the configuration file responsible for defining the SSL protocols supported by Apache. On Ubuntu it is
/etc/apache2/mods-available/ssl.conf
You can search for it with this grep command:
grep -i -r “SSLProtocol” /etc/apache2
Edit the file, find the SSLProtocol line and change it to
SSLProtocol all -SSLv2 -SSLv3
Restart Apache (service apache2 restart) and SSL v3 will be disabled.
Confirm this by running the scans again.

How to test Paypal

The best way to prepare for Paypal disabling SSL v3 is to test your Dev Magento install against the Paypal Sandbox site – http://sandbox.paypal.com

For peace of mind you should do this before December 3rd 2014.

Another simple test is to just do a simple PHP curl request to the Paypal sandbox servers. You can try this with a simple PHP script. Create a file paypal-tls-test.php in the root folder of your Magento shop and paste the following script into it.

<html>
<head>
</head>
<body>
<?php
$url = “ssl://www.sandbox.paypal.com”;
$fp = fsockopen ($url, 443);
if (is_resource ($fp)) {
echo “not affected”;
}
else {
echo “affected”;
}
?>
</body>
</html>

Run the script from your store – http://storeurl.com/paypal-tls-test.php

If you receive the not affected response, then your host was able to talk to Paypal using TLS and you should also be able to process Paypal payments from Magento.

If you don’t have a dev server this might be the easiest way to test Paypal access from your Live server unless you are prepared to take the shop offline and configure the Paypal payment modules to use the Sandbox.

If you do not have access to the command line you need to talk to your hosting provider ASAP!

A lot of people (like me) may be reacting to this news a bit late but applying these simple changes should avoid any pre Christmas Poodle related Paypal headaches next week.

 

 

Comments

This site uses Akismet to reduce spam. Learn how your comment data is processed.