Due to the recently announced POODLE vulnerability (CVE-2014-3566) authorize.net is shutting off SSLv3 protocols to their gateway, and switching to TLS 1.x instead. This will effect payment processing. Is there a way to change the protocol used in ubercart to communicate with gateways, or will this negotiation happen automatically?

CommentFileSizeAuthor
#6 Poodle.pdf449.28 KBtm01xx
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

longwave’s picture

longwave
he/him
Primary language English
Location UK
CreditAttribution: longwave commented
Status: Active » Fixed
Issue tags: -POODLE, -ssl, -vulnerability

We do not specify which protocol to use. We use the cURL library to connect to Authorize.Net, and most setups should allow both SSL and TLS here, so everything should carry on working.

lhugg’s picture

lhugg CreditAttribution: lhugg commented

My further testing of this on the authorize.net sandbox indicates that this is true. The sandbox already has SSL turned of, so if your application works against it then your site is able to negotiate to use the more secure TLS. Thanks for confirming.

volcanocruiser’s picture

volcanocruiser CreditAttribution: volcanocruiser commented

is this the same confirmed method for Ubercart 7.x using Paypal?

tm01xx’s picture

tm01xx CreditAttribution: tm01xx commented

Hi,

I am using Ubercart Paypal 6.x-2.2. I have received Paypal letter recently telling me to disable SSL3 and to enable TLS asap as they will shutdown SSL3 service by 3 Dec 2014.

Is there affecting to my Ubercart Paypal version I am using? should i do anything in my end?

Many thanks!

tm01xx’s picture

tm01xx CreditAttribution: tm01xx commented
Title: POODLE vulnerability and SSL protocol » POODLE vulnerability and SSL protocol (Paypal)
Version: 6.x-2.13 » 6.x-2.2
Status: Fixed » Active
tm01xx’s picture

tm01xx CreditAttribution: tm01xx commented
FileSize
Poodle.pdf449.28 KB

Please check the attachment for more info:

longwave’s picture

longwave
he/him
Primary language English
Location UK
CreditAttribution: longwave commented
Status: Active » Fixed

The same applies for all payment methods that come with Ubercart: we do not specify which method to use, so as long as your cURL setup does not disallow TLS (this is very unlikely), then there will be no impact when SSLv3 is disabled.

tczaude’s picture

tczaude CreditAttribution: tczaude commented

How is look sytuaction in Ubercart 3 in Drupal 7

drewwestcott’s picture

drewwestcott CreditAttribution: drewwestcott commented

Is this the case in all versions of Ubercart I'm using 6x 2.9 atm.

TR’s picture

TR CreditAttribution: TR commented

Yes, yes, yes. This is true of all versions of Ubercart running on all version of Drupal.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

webservant316’s picture

webservant316 CreditAttribution: webservant316 commented

I am running Drupal 6.31 with Ubercart 6.x-2.13 and could not talk to my credit card processor with the SHA2 SSL certificates and the processor told me to set curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0) per this instruction http://curl.haxx.se/docs/sslcerts.html and now it works. I don't think this is a long term solution and I am working to port to D7 anyway.