Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Due to the recently announced POODLE vulnerability (CVE-2014-3566) authorize.net is shutting off SSLv3 protocols to their gateway, and switching to TLS 1.x instead. This will effect payment processing. Is there a way to change the protocol used in ubercart to communicate with gateways, or will this negotiation happen automatically?
Comment | File | Size | Author |
---|---|---|---|
#6 | Poodle.pdf | 449.28 KB | tm01xx |
Comments
Comment #1
longwaveWe do not specify which protocol to use. We use the cURL library to connect to Authorize.Net, and most setups should allow both SSL and TLS here, so everything should carry on working.
Comment #2
lhugg CreditAttribution: lhugg commentedMy further testing of this on the authorize.net sandbox indicates that this is true. The sandbox already has SSL turned of, so if your application works against it then your site is able to negotiate to use the more secure TLS. Thanks for confirming.
Comment #3
volcanocruiser CreditAttribution: volcanocruiser commentedis this the same confirmed method for Ubercart 7.x using Paypal?
Comment #4
tm01xx CreditAttribution: tm01xx commentedHi,
I am using Ubercart Paypal 6.x-2.2. I have received Paypal letter recently telling me to disable SSL3 and to enable TLS asap as they will shutdown SSL3 service by 3 Dec 2014.
Is there affecting to my Ubercart Paypal version I am using? should i do anything in my end?
Many thanks!
Comment #5
tm01xx CreditAttribution: tm01xx commentedComment #6
tm01xx CreditAttribution: tm01xx commentedPlease check the attachment for more info:
Comment #7
longwaveThe same applies for all payment methods that come with Ubercart: we do not specify which method to use, so as long as your cURL setup does not disallow TLS (this is very unlikely), then there will be no impact when SSLv3 is disabled.
Comment #8
tczaude CreditAttribution: tczaude commentedHow is look sytuaction in Ubercart 3 in Drupal 7
Comment #9
drewwestcott CreditAttribution: drewwestcott commentedIs this the case in all versions of Ubercart I'm using 6x 2.9 atm.
Comment #10
TR CreditAttribution: TR commentedYes, yes, yes. This is true of all versions of Ubercart running on all version of Drupal.
Comment #12
webservant316 CreditAttribution: webservant316 commentedI am running Drupal 6.31 with Ubercart 6.x-2.13 and could not talk to my credit card processor with the SHA2 SSL certificates and the processor told me to set curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0) per this instruction http://curl.haxx.se/docs/sslcerts.html and now it works. I don't think this is a long term solution and I am working to port to D7 anyway.