Due to the recent POODLE vulnerability discovery, payment processors (such as PayPal and Authorize.net etc) have begun disallowing the use of (the industry standard version of) SSL v3, which has triggered problems during checkout:
You may receive an error during checkout, like:
– An error occurred when we tried to contact the payment processor. Please try again, select an alternate payment method, or contact the store owner for assistance.
– (35) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number”
– (35) error:14094410:SSL routines:func(148):reason(1040)
– (35) SSL connect error
– 35 Connect error
– v1.3.8a – only the linkpoint_api module (but if you’re using v1.3.8/v1.3.8a or older then you REALLY need to upgrade for additional security reasons)
– v1.3.9 – all the files listed below
– v1.5.0-v1.5.3 – all the files listed below
ZEN CART v1.5.4 ALREADY CONTAINS THESE FIXES!
YOU SHOULD UPGRADE NOW!
If you need your zen cart updated to the latest version 1.5.4, you can purchase the upgrade service in my shoppe.
If you want to fix it yourself, here’s how:
To change your Zen Cart site to use auto-negotiation of SSL version instead, do the following:
Search all PHP files for “CURLOPT_SSLVERSION”, and you will find it typically appears like this (a list of known files is included below):
curl_setopt($ch, CURLOPT_SSLVERSION, 3);
Simply comment-out the line, like this:
// curl_setopt($ch, CURLOPT_SSLVERSION, 3);
(NOTE: In the case of paypal_curl.php, the code looks like the following, which is similar but written differently for other reasons. Just add the // to the beginning of the line, as shown here:)
// CURLOPT_SSLVERSION => 3,
/includes/modules/payment/paypal/paypal_curl.php around line 58
/includes/modules/payment/authorizenet_aim.php around line 600
/includes/modules/payment/authorizenet_echeck.php around line 589
/includes/modules/payment/paypaldp.php around line 2342 (not necessary in all versions, but if it’s present, comment it out)
/includes/modules/payment/linkpoint_api/class.linkpoint_api.php around line 309
(Line numbers may differ depending on what Zen Cart version you’re using)
You may have additional files affected … ie: other payment modules you’ve added which may be using CURL to connect using SSL v3, in which case similar edits can be made.
If you have shipping modules (like USPS or UPSXML or FEDEX, etc) or other code that connects over SSL, commenting-out the CURLOPT_SSLVERSION setting should suffice. If doing that results errors or connection problems, contact the maintainer of the module for further assistance.
Commenting-out the CURLOPT_SSLVERSION line will cause PHP to negotiate the best possible SSL/TLS version supported by the destination server.
There are some sites out there advocating setting the value to 1, but our initial testing suggests that simply forces the same auto-negotiation since 1 is an invalid option.
Other sites are suggesting setting it to 4 or 6 (or use equivalent PHP constants, but those PHP constants are not available in all versions of PHP). While these are possible, they are potentially more restrictive than necessary given what we know at this time.
As of Oct 20, PayPal has agreed that while their own docs advocate setting the value to 4, commenting it out (ie: NOT specifying any CURLOPT_SSLVERSION) is perfectly acceptable at this time.
The same solution has been tested with Authorize.net, and works fine.