Briefing on PayPal SSL 3.0 payment problems 1


whitepaperSummary

PayPal plug a security vulnerability and reject 10,000s of valid transactions from being completed. Customers are charged. PayPal has the cash. But you get no notification that the order is complete. The paper looks at the issue, helps you diagnose if you have the problem and provides a fix for you or your web developer.
Background to the issue

On Tuesday PayPal announced that it was responding to the SSL 3.0 Poodle vulnerability which was made public on the same day.  In the Statement they said they would be assuming SSL 3.0 was potentially vulnerable and “In the coming days, we will remove support for SSL 3.0 completely”.

Now most web sessions use TLS rather than SSL 3.0 and so there seemed little reason to panic. SSL 3.0 is rarely called in the normal use of secure web pages.

Unfortunately, what emerged today was a double whammy that has left many merchants struggling to figure out why transactions are failing and customers are complaining.

Within 24 hours of that statement, PayPal rejected all SSL 3.0 to its server systems. Again this should not had any major effect to accessing systems. In fact web access and most PayPal systems functioned as expected. However, for vendors using the Instant Payment Notification protocol payments carried on being accepted but the automated confirmation return messages were not being processed correctly. In the merchant side code, supplied by PayPal, the code forced all transactions to use SSL 3.0 rather than any other SSL level. This meant that Google’s call back from the merchant system was then rejected by PayPal as being potentially vulnerable. So PayPal has the cash but the order is still unconfirmed.

This type of issue can occasionally occur and PayPal as a method of resending the IPN so you can unstuck the stuck transaction. However, these resends were all also rejected too.

So how can you tell if you are affected?
Login to your PayPal account and get the transaction time of the last transaction and the customer name. Check in your order system (e.g Magento, OSCommerce etc) and see if the order is visible and confirmed paid. If not, you are most likely to have the issue. No further PayPal orders will be confirmed until you fix the problem.

Want to fix it yourself or need instructions for your developer?
The fix is to simply change 3 lines of code in paypal_ipn.class.php. At line 105 you should see:

if ($this->force_ssl_v3) {
curl_setopt($ch, CURLOPT_SSLVERSION, 3);
}

Change these to read:

// if ($this->force_ssl_v3) {
curl_setopt($ch, CURLOPT_SSLVERSION, 1);
// }

And upload the file back to your server.
Alternatively the PayPal GitHub repository for the code has been
updated and you can get a new version of the class from:

https://github.com/paypal/sdk-core-php

Drop me note if you would like any help getting your site back up and running.


Leave a comment

Your email address will not be published. Required fields are marked *

One thought on “Briefing on PayPal SSL 3.0 payment problems

  • Andras

    Hi, we have an exactly same issue. Using a Magento shopping cart. Could you help me what I need changing of the code? I not found the above posted code snippet nowhere .. Thanks. Andras