Jump to content
tomerg3

PayPal SSL Change Explained + Fix

Recommended Posts

I have seen many users ask about the upcoming PayPal November 3rd change, hopefully this thread would explain everything about it.

 

Please try to keep things on topic, so this could be a useful resource for other users rather than a discussion about PrestaShop.

 

Problem Description

 

As you may have heard, a recent exploit was found in a certain SSL protocol called SSLv3.

There are very few hosting providers still using this protocol, and the ones that due are likely addressing them.

PayPal are shifting away from this protocol, and replacing it with TLS (other payment gateways may soon follow).

 

PrestaShop PayPal Modules

 

PrestaShop developers had hard coded the use of SSLv3 in all the PayPal modules (I checked as far back as PayPal V2.6), which would mean that unless you fix the PayPal module, it will stop working soon.

 

The good news are, fixing it is simple, and would not require upgrading or changing your current module, just a few line changes.

 

What to Look For

 

Below is an image showing the 2 changes that you would need to make, depending on the PayPal module's version, it may be in a different file / folder, but the most common location is /modules/paypal/api/paypalconnect.php

 

If you want to be absolutely sure, you can search inside the files in that folder for the text "CURLOPT_SSLVERSION" and remove that entire line.

 

paypal_code.png

 

As with any change done to a payment module, make sure to test it out when you are done by trying to place an order using PayPal.

  • Like 4

Share this post


Link to post
Share on other sites

Hello,

 

I am using PayPal USA module and i don't see any file like this: paypalconnect.php

  • Like 1

Share this post


Link to post
Share on other sites

Will this fix work for Australian based stores?

This has nothing to do with your country.  If you are using the Paypal module as described by Tomer, then you are likely impacted

 

I am using PayPal USA module and i don't see any file like this: paypalconnect.php

The issue is really about the Paypal 'Europe' module.  Paypal USA v1.3.8 does not have this issue

 

Also as Tomer already documented...

 

If you want to be absolutely sure, you can search inside the files in that folder for the text "CURLOPT_SSLVERSION" and remove that entire line.

 

 

you can always open each file in the module and search for "CURLOPT_SSLVERSION"

  • Like 2

Share this post


Link to post
Share on other sites

 


The issue is really about the Paypal 'Europe' module.  Paypal USA v1.3.8 does not have this issue

This is not entirely true, many PS 1.4 came with a single PayPal module which has the SSLv3 hard coded.

 

We use it on our site, and we never bother upgrading the PayPal module to the latest version, as it was working, and the latest version seemed to be buggy at times.

Share this post


Link to post
Share on other sites

Hi, I'm running version 1.3 (Yeah I know). Am I right in thinking that this version is not affected? I'm in Europe and can't find the above code in my paypalconnect.php.

 

Thanx in advance.

Share this post


Link to post
Share on other sites

 


If you want to be absolutely sure, you can search inside the files in that folder for the text "CURLOPT_SSLVERSION" and remove that entire line.

Share this post


Link to post
Share on other sites

Hi, I've searched through the whole folder and can't find that text. Thanks for all your help.

 

K;)

Share this post


Link to post
Share on other sites

This is not entirely true, many PS 1.4 came with a single PayPal module which has the SSLv3 hard coded.

 

We use it on our site, and we never bother upgrading the PayPal module to the latest version, as it was working, and the latest version seemed to be buggy at times.

The point I was trying to make is that the Paypal USA module does not have the issue.  The issue was limited to just the original Paypal module.

 

The original Paypal module that you refer to, and the Paypal 'Europe' are the same module.  It was just branded 'Europe' when they created Paypal USA.

Edited by bellini13 (see edit history)

Share this post


Link to post
Share on other sites

This has nothing to do with your country.  If you are using the Paypal module as described by Tomer, then you are likely impacted

 

The issue is really about the Paypal 'Europe' module.  Paypal USA v1.3.8 does not have this issue

 

Hi Belllini13,

 

Are you 100% sure it does not affect the Australian version?

 

Because I tried Bill Dalton's location from above and found on line 84 of modules\paypal\api\paypal_connect.php:

@curl_setopt($ch, CURLOPT_SSLVERSION, 3);

I think that is the code in question.

 

We are using PrestaShop 1.5.4.1 with PayPal module 3.6.

The PayPal module we are using is simply called PayPal (not PayPal Aus etc).

Edited by sunnyb0y (see edit history)

Share this post


Link to post
Share on other sites

Hi Belllini13,

 

Are you 100% sure it does not affect the Australian version?

 

There is not an 'Australian' version of Paypal.  The module you are using is 'Paypal Europe'

  • Like 1

Share this post


Link to post
Share on other sites

Hi,


 


my webstore is based on Asia, so is there latest version of paypal module will release soon? What i found out is only paypal module for europe. I'm using paypal module version 3.5.0


needed help.


 


Regards

Share this post


Link to post
Share on other sites

 

Hi,

 

my webstore is based on Asia, so is there latest version of paypal module will release soon? What i found out is only paypal module for europe. I'm using paypal module version 3.5.0

needed help.

 

Regards

 

There are only 2 Paypal modules that were developed and provided by Prestashop

 

1) Paypal, otherwise known as Paypal Europe.

2) Paypal USA, Canada, Mexico

 

You are using Paypal 'Europe', so just upgrade to v3.8.1. 

 

There is a Paypal forum here that you should be reading

  • Like 1

Share this post


Link to post
Share on other sites

There are only 2 Paypal modules that were developed and provided by Prestashop

 

1) Paypal, otherwise known as Paypal Europe.

2) Paypal USA, Canada, Mexico

 

You are using Paypal 'Europe', so just upgrade to v3.8.1. 

 

There is a Paypal forum here that you should be reading

 

 

Hi Bellini,

 

Thanks, i already manually update the Paypal 'Europe' to v3.8.1. 

does i need to verify again my paypal account or once i update to v3.8.1 it will automatically verify for me?

Share this post


Link to post
Share on other sites

Still cant get the module to work in sandbox mode, this is the error i get 

 

PayPal response:
TIMESTAMP -> 2014-11-24T22:51:24Z
L_ERRORCODE0 -> 10002
L_SHORTMESSAGE0 -> Security error
L_LONGMESSAGE0 -> Security header is not valid
L_SEVERITYCODE0 -> Error 

 

im on 1.4.9.0 which is fairly old but i do like it and havent the time to update, i have tried paypal versions 3.0 which should have been the orignal with 1.4.9.0, also tried 3.8.0 and 3.8.1

 

which have the lines of code edited already but i still get the above error, the live setting work fine.

 

just wondering if i need to update my shop or even sign up for ssl

 

thanks for any help

 

just to add i have tried the line

To see the errors, go to the paypal_connect.php file and add :

 

echo "<pre>";print_r($this->_logs);echo "</pre>";

 

Before the line

 

@curl_close($ch);

 

and this is what i get, i have edited my details:

 

Array

(
    [0] => Making new connection to 'api-3t.sandbox.paypal.com/nvp'
    [1] => Connect with CURL method successful
    [2] => Sending this params:
    [3] => METHOD=SetExpressCheckout&VERSION=106&PWD=MY API PW&USER=MY_api1.live.co.uk&SIGNATURE=MY API SIG&CANCELURL=http%3A%2F%2Fspecialkeys.co.uk%2Forder-opc.php%3Fpaypal_ec_canceled%3D1%26&RETURNURL=http%3A%2F%2Fspecialkeys.co.uk%2Fmodules%2Fpaypal%2Fexpress_checkout%2Fpayment.php&NOSHIPPING=1&BUTTONSOURCE=PRESTASHOP_EC&L_PAYMENTREQUEST_0_NUMBER0=136&L_PAYMENTREQUEST_0_NAME0=Universal+4+pin+key+blank%2C+standard+profile&L_PAYMENTREQUEST_0_DESC0=JMA+U-4D...&L_PAYMENTREQUEST_0_AMT0=1&L_PAYMENTREQUEST_0_QTY0=1&PAYMENTREQUEST_0_PAYMENTACTION=Sale&PAYMENTREQUEST_0_CURRENCYCODE=GBP&L_PAYMENTREQUEST_0_NAME1=Royal+Mail+Signed+for%2C+1st+Class&L_PAYMENTREQUEST_0_AMT1=2.99&L_PAYMENTREQUEST_0_QTY1=1&PAYMENTREQUEST_0_ITEMAMT=3.99&PAYMENTREQUEST_0_AMT=3.99&ADDROVERRIDE=1&EMAIL=specialkeys%40live.co.uk&PAYMENTREQUEST_0_SHIPTONAME=kearney+kearney&PAYMENTREQUEST_0_SHIPTOPHONENUM=%2B447731527660&PAYMENTREQUEST_0_SHIPTOSTREET=18+pedro+street&PAYMENTREQUEST_0_SHIPTOSTREET2=clapton&PAYMENTREQUEST_0_SHIPTOCITY=director&PAYMENTREQUEST_0_SHIPTOCOUNTRYCODE=GB&PAYMENTREQUEST_0_SHIPTOZIP=e5+0bn&SOLUTIONTYPE=Sole&LANDINGPAGE=Login&USER=MY_api1.live.co.uk&PWD=MY API PW&SIGNATURE=MY API SIG
    [4] => Send with CURL method successful
Edited by pickwizard (see edit history)

Share this post


Link to post
Share on other sites

Here is a patched PayPal 3.6.1 from a copy of 1.4.11.

Thanks Bill, not sure if this was for me but still the same, fine live but in sandbox i get 

Please refer to logs:

  1. PayPal response:
  2. TIMESTAMP -> 2014-11-24T23:44:29Z
  3. L_ERRORCODE0 -> 10002
  4. L_SHORTMESSAGE0 -> Security error
  5. L_LONGMESSAGE0 -> Security header is not valid
  6. L_SEVERITYCODE0 -> Error

Share this post


Link to post
Share on other sites

Just a thought, the errorcode0 10002 should  be an API error, are their two API settings, one for live and one for sandbox??

 

would make sense, after hours of searching its its been working all the time lol

  • Like 1

Share this post


Link to post
Share on other sites

There is not an 'Australian' version of Paypal.  The module you are using is 'Paypal Europe'

 

Ah I see, thanks for clarifying Bellini13. I will upgrade that accordingly. Cheers.

 

Just confirming - this is the English page for the PayPal (Europe) module that will affect Australian users:

http://addons.prestashop.com/en/payments-gateways-prestashop-modules/1748-paypal.html

Edited by sunnyb0y (see edit history)

Share this post


Link to post
Share on other sites

Just a thought, the errorcode0 10002 should  be an API error, are their two API settings, one for live and one for sandbox??

 

would make sense, after hours of searching its its been working all the time lol

Stupid me, your live api credentials and sandbox are different so to test you do need to login to the developer site  https://developer.paypal.com/developer

 

then Dashboard/ sandbox accounts and find your sandbox details

Share this post


Link to post
Share on other sites

Yes! You need to setup up a sandbox account separately from your live account. Really odd but that's PayPal.

  • Like 1

Share this post


Link to post
Share on other sites

Hi,

 

On my Pretsashop. I found 2 PayPal:

 

- One is PayPal USA and i fail into this problem:

http://forge.prestashop.com/browse/PSCSX-3904

 

- One is PayPal and i found the file:

modules/paypal/api/paypal_connect.php

 

with line:

 

88:

@curl_setopt($ch, CURLOPT_SSLVERSION, defined('CURL_SSLVERSION_TLSv1') ? CURL_SSLVERSION_TLSv1 : 1);

108: 

 

 

It seams that it already fixed. I already test with PayPal Sandbox and it work well.

Edited by ksv (see edit history)

Share this post


Link to post
Share on other sites

I'm not a developer, so I'm not too savvy with coding, but when updating the Paypal module just now, something went wrong.
I can still acces pretty much everything at the backend of the website, but on the frontside, only the home page and category pages work.
Every product page is blank and the favicon is a database icon.

Even if I uninstall the PayPal module, the product pages stay blank.

Could anybody help me with this?

Share this post


Link to post
Share on other sites

Hi Can anyone confirm whether PS 1.3.2 will have the paypal problem - I am not a techie and thus a fix will be a problem for me - so straight answer would be useful.

 

Thanks

Share this post


Link to post
Share on other sites

Hello

 

I am using Prestashop 1.6.0.9 and have also received the e-mail from PayPal regarding the need to update.  I HAVEN'T A CLUE what I need to do as the "update button" they mention in their e-mail is not there.  A web designer sorted my website for me and I no longer have contact with them.  Although I know how to upload my products obviously, shipping, discounts, that sort of thing, I haven't a clue when it comes to coding etc and I am really panicking seeing as they are disabling on 3rd December.  I would be so, SO grateful if anybody is able to help please. 

 

Thank you so much!

Share this post


Link to post
Share on other sites

Hi Further input on PS1.3.2  The Paypal file listed by tomer does not exist

The nearest ref I can find to the curlopt is in the file validation.php.

 

    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

 

Which is different from the newr paypal modules.

 

Does that mean we do not have the problem?

 

Thanks

Edited by justdogwalking.com (see edit history)

Share this post


Link to post
Share on other sites

Hi Whilst I am no techie I have been desperately trying to bottom out whether PS 1.3.2 is vunerable to this paypal issue.

All the indications are  that the paypal module for PS 1.3.2 does not have this issue - However, I can only wait till dec to see if I get locked out when Paypal shuts down its ssl3 service.

 

Any experts out there that can confirm this yet??

Share this post


Link to post
Share on other sites

Same problem here.. I have a shop running with PS 1.3.5 and rely on PayPal... Will the paypal module 1.7.1 that comes with PS 1.3.5 still work after dec 3? There is also a module PayPalAPI v1.0 but I haven't used it yet.

Share this post


Link to post
Share on other sites

Hello all,

 

I did have a look at my europe paypal 3.8 version and i have a question about it.

 

The first thing that is advised from the thread info to remove is this line 1)  CURLOPT_SSLVERSION but if i have a look at my line then it shows this code

@curl_setopt($ch, CURLOPT_SSLVERSION, defined(CURL_SSLVERSION_TLSv1) ? CURL_SSLVERSION_TLSv1 : 1);

My question is if the above line that i have is also a correct line or must i still remove CURLOPT_SSLVERSION ??

 

The replace the file from 2) is already correct in my paypal v3.80

 

 

Thanks.

 

regards,

 

ysco..

Edited by ysco (see edit history)

Share this post


Link to post
Share on other sites

It's not yet in PayPal-Module 3.6.5.

 

@Prestashpo-Team:

 

Please fix this line in paypal_connect.php and change sslv3 with tls:




			
		

Share this post


Link to post
Share on other sites

×
×
  • Create New...

Important Information

Cookies ensure the smooth running of our services. Using these, you accept the use of cookies. Learn More