Author Topic: Paypal TLS 1.2 problem  (Read 214 times)

0 Members and 1 Guest are viewing this topic.

Offline andika

  • 144
  • -1
  • Active Participant
  • ****
Paypal TLS 1.2 problem
« on: June 26, 2018, 04:20:14 AM »
Hello,

Today I received the final warning from paypal that I don't meet the new security requirements :

-------------------

Upgrade your PayPal security encryption by June 26, 2018.
 

Jonathan,

We’ve tried contacting you to inform you of an urgent security requirement that now needs your immediate attention. Starting on June 26, 2018, PayPal will be making changes that may impact your ability to accept any PayPal transactions, process credit card payments with PayPal, or access the funds in your PayPal Business account.

Action required by June 26, 2018.

 Our records show that your PayPal integration uses an older encryption protocol. You must take the following actions immediately to upgrade your PayPal integration(s) to the TLS 1.2 cryptographic protocol by June 26, 2018.

 1.    Visit our security website to view the requirements: www.paypal.com/tls
 2.    If your website is hosted by a third-party, work with your web hosting company or ecommerce software provider. Otherwise, please contact your in-house web programmer or system administrator to make these updates.
 3.    Use our testing environment to verify that your servers support the latest security standards: https://tlstest.paypal.com. The testing environment will present a PayPal_Connection_OK message if you’ve completed the server update correctly. Note that you must test your API using your server, not your web browser.

 If you fail to upgrade your integration by June 26, 2018, you may not be able to accept any PayPal transactions, process credit card payments with PayPal, or access the funds in your PayPal Business account.

 If you need additional support, please contact your web hosting company, ecommerce software provider, in-house web programmer, or system administrator. You can also visit our Help Center for more detail.

 PayPal Merchant Services
 
   --------------------------


What settings should I make on hostbill ? How to test it, where in hostbill should I load the link https://tlstest.paypal.com for testing ?
 
 


 
 
   
 
 

Offline d4f

  • 111
  • 5
  • Community Managers
  • Active Participant
  • ****
Re: Paypal TLS 1.2 problem
« Reply #1 on: June 26, 2018, 06:36:57 AM »
From all the information I could gather (and guess) Hostbill uses the standard connection API "curl" which is fully TLS 1.2 compliant if your PHP environment is not older than the dinosaurs. This means that as soon as only TLS1.2 works, the payment plugin will switch to using it.

As to *why* PHP would choose to use an older encryption standard on the connections, I can only guess.

For reference, here is some PHP code to check if your server supports TLS1.2 both through CURL and through PHP.
Upload it to your website, call it in the browser. It should show two lines:
CURL TEST: OK
PHP TEST: OK
Code: [Select]
<?php
error_reporting
(E_ALL);
ini_set('display_errors','on');

function 
get_web_page$url )
{
    
$options = array(
        
CURLOPT_RETURNTRANSFER => true,     // return web page
        
CURLOPT_HEADER         => false,    // don't return headers
        
CURLOPT_FOLLOWLOCATION => true,     // follow redirects
        
CURLOPT_ENCODING       => "",       // handle all encodings
        
CURLOPT_USERAGENT      => "spider"// who am i
        
CURLOPT_AUTOREFERER    => true,     // set referer on redirect
        
CURLOPT_CONNECTTIMEOUT => 120,      // timeout on connect
        
CURLOPT_TIMEOUT        => 120,      // timeout on response
        
CURLOPT_MAXREDIRS      => 10,       // stop after 10 redirects
        
CURLOPT_SSL_VERIFYPEER => true     //  SSL Cert checks
    
);

    
$ch      curl_init$url );
    
curl_setopt_array$ch$options );
    
$content curl_exec$ch );
    
$err     curl_errno$ch );
    
$errmsg  curl_error$ch );
    
$header  curl_getinfo$ch );
    
curl_close$ch );

    
$header['errno']   = $err;
    
$header['errmsg']  = $errmsg;
    
$header['content'] = $content;
    return 
$header;
}

function 
check_result($content ) {
    if(
$content == "PayPal_Connection_OK") return "OK";
    elseif(
$content) return "Error: $content";
    else return 
"Error: no content returned.";
}

$ctx stream_context_create([
    
'http' => [
        
'protocol_version' => 1.1,
        
'header'           => [
            
'Connection: close',
        ],
    ],
]);

echo 
"CURL TEST: ".check_result(get_web_page("https://tlstest.paypal.com/")['content'])."<br>".PHP_EOL;
echo 
"PHP TEST: ".check_result(file_get_contents("https://tlstest.paypal.com/",null,$ctx))."<br>".PHP_EOL;

Offline andika

  • 144
  • -1
  • Active Participant
  • ****
Re: Paypal TLS 1.2 problem
« Reply #2 on: June 26, 2018, 08:46:47 AM »
Yes, I got this response:

CURL TEST: OK
PHP TEST: OK


But why paypal is saying on that email that I don't meet their requirements ?  Is it because of paypal hostbill plugin which doesn't meet their demands right now ?

Offline andika

  • 144
  • -1
  • Active Participant
  • ****
Re: Paypal TLS 1.2 problem
« Reply #3 on: June 28, 2018, 07:27:18 AM »
Today payment failed using IPN:

payment gateway error from hostbill admin :

[_verification] => IPN Not Verified [_debug] => HTTP/1.1 307 Temporary Redirect Server: AkamaiGHost Content-Length: 0 Location: https://www.paypal.com/cgi-bin/webscr/?IPN=true Date: Thu, 28 Jun 2018 11:24:11 GMT Connection: close
Set-Cookie: akavpau_ppsd=15305651~id=96e73637551555b21a9f9a3948c7de; Domain=www.paypal.com; Path=/; Secure; HttpOnly Strict-Transport-Security: max-age=63072000

« Last Edit: June 28, 2018, 07:50:25 AM by andika »

Offline d4f

  • 111
  • 5
  • Community Managers
  • Active Participant
  • ****
Re: Paypal TLS 1.2 problem
« Reply #4 on: June 29, 2018, 04:03:12 AM »
That does not seem to be related to SSL/TLS though.

Quote
HTTP/1.1 307 Temporary Redirect
You get a HTTP response code, so the HTTP connection seems to work. Which in turn means that the underlying TLS encryption must work too, otherwise the request would never have gotten that far.

I do not currently have Paypal issues on my install so it may have been a fluke?

Quote
But why paypal is saying on that email that I don't meet their requirements ?
*Maybe* (and I'm guessing here) Php is lazy and picks the easiest encryption available and not the best available. That would fit into how PHP does a lot of the other things too... easy before security in all cases  ;D
That would mean that when Paypal only has TLS1.2 available, it will still work.

Offline andika

  • 144
  • -1
  • Active Participant
  • ****
Re: Paypal TLS 1.2 problem
« Reply #5 on: June 29, 2018, 07:24:10 AM »
That does not seem to be related to SSL/TLS though.
You get a HTTP response code, so the HTTP connection seems to work. Which in turn means that the underlying TLS encryption must work too, otherwise the request would never have gotten that far.

I do not currently have Paypal issues on my install so it may have been a fluke?
*Maybe* (and I'm guessing here) Php is lazy and picks the easiest encryption available and not the best available. That would fit into how PHP does a lot of the other things too... easy before security in all cases  ;D
That would mean that when Paypal only has TLS1.2 available, it will still work.


Today other payments failed to work with the same error.. :( now I manually have to check all the payments.

Offline d4f

  • 111
  • 5
  • Community Managers
  • Active Participant
  • ****
Re: Paypal TLS 1.2 problem
« Reply #6 on: June 29, 2018, 09:22:21 AM »
It works fine for me across all payment gateways, maybe you have an issue with your server or with your most recent Hostbill update?

Offline andika

  • 144
  • -1
  • Active Participant
  • ****
Re: Paypal TLS 1.2 problem
« Reply #7 on: June 30, 2018, 03:51:52 AM »
It works fine for me across all payment gateways, maybe you have an issue with your server or with your most recent Hostbill update?

Nothing was done , I didn't updated hostbill since 2 years due to custom files modifications. Very strange the issue come 2 days after final Paypal  security encryption notification..

Offline andika

  • 144
  • -1
  • Active Participant
  • ****
Re: Paypal TLS 1.2 problem
« Reply #8 on: June 30, 2018, 03:56:23 AM »
I just logged in on paypal and got this big popup :


Offline d4f

  • 111
  • 5
  • Community Managers
  • Active Participant
  • ****
Re: Paypal TLS 1.2 problem
« Reply #9 on: July 01, 2018, 10:12:45 AM »
2 *years* without updates???
No wonder it doesn't work, in two years a lot changed including newer PHP version requirements, major security updates and changes to how Paypal works....
I think the most important step is to get you back and running on the updates, and only *after* debug any remaining payment issues. It's possible that it has nothing to do with TLS encryption, and more with using an outdated Paypal API, both should fix themselves when you are on the new updates.

What changes to Hostbill code would require you not to install updates? I haven't needed to block updates for anything so far and I've added a *lot* of custom stuff. Nearly anything can be done as a plugin, hook, API call or via template.

The only thing I had to exclude is Smarty due to adding a few custom methods to access the singleton and rewrite the template variables on the fly. But in those cases you can add an exclusion to the auto-update so your changed file never gets touched. Custom modules, custom templates and custom files in general are *not* overwritten by Hostbill during updates!









Offline andika

  • 144
  • -1
  • Active Participant
  • ****
Re: Paypal TLS 1.2 problem
« Reply #10 on: July 02, 2018, 04:52:10 AM »
2 *years* without updates???
No wonder it doesn't work, in two years a lot changed including newer PHP version requirements, major security updates and changes to how Paypal works....
I think the most important step is to get you back and running on the updates, and only *after* debug any remaining payment issues. It's possible that it has nothing to do with TLS encryption, and more with using an outdated Paypal API, both should fix themselves when you are on the new updates.

What changes to Hostbill code would require you not to install updates? I haven't needed to block updates for anything so far and I've added a *lot* of custom stuff. Nearly anything can be done as a plugin, hook, API call or via template.

The only thing I had to exclude is Smarty due to adding a few custom methods to access the singleton and rewrite the template variables on the fly. But in those cases you can add an exclusion to the auto-update so your changed file never gets touched. Custom modules, custom templates and custom files in general are *not* overwritten by Hostbill during updates!

I have upgraded hostbill to 2018-06-27 version, seems fine but I get error warning :

'Warning There are some new entries in error log from Today' , content:

Exception: SQLSTATE[HY000]: General error: 1271 Illegal mix of collations for operation 'UNION' IN /home/admin/public_html/mysite.com/includes/modules/Site/automation/models/class.automation_model.php(922), stack trace:
#0 /home/admin/public_html/mysite.com/includes/modules/Site/automation/models/class.automation_model.php(922): PDO->query()
#1 /home/admin/public_html/mysite.com/includes/modules/Site/automation/models/class.automation_model.php(1367): Automation_Model->importPOP()
#2 /home/admin/public_html/mysite.com/includes/modules/Site/automation/models/class.automation_model.php(1126): Automation_Model->automate()
#3 /home/admin/public_html/mysite.com/includes/modules/Site/automation/models/class.automation_model.php(1066): Automation_Model->loadProfiles()
#4 /home/admin/public_html/mysite.com/includes/modules/Site/automation/cli/class.automation_controller.php(11): Automation_Model::run()
#5 /home/admin/public_html/mysite.com/hbf/core/class.controller.php(264): Automation_Controller->_default()
#6 /home/admin/public_html/mysite.com/hbf/core/types/class.cli_frontcontroller.php(53): Controller::dispatchControl()
#7 /home/admin/public_html/mysite.com/hbf/core/class.frontcontroller.php(145): CLI_FrontController::dispatch()
#8 /home/admin/public_html/mysite.com/hbf/core/class.frontcontroller.php(125): FrontController->handleRequest()
#9 /home/admin/public_html/mysite.com/admini/cron.php(15): FrontController::init()
#10 {main}


Also import ticket task failed:

Import Tickets using POP method Recent task executions failed, task has been disabled. debug button shows no message.


I found this topic but no real solution https://www.hostbillforums.com/index.php?topic=103.0

How to fix them ?

« Last Edit: July 02, 2018, 05:33:24 AM by andika »

Offline andika

  • 144
  • -1
  • Active Participant
  • ****
Re: Paypal TLS 1.2 problem
« Reply #11 on: July 02, 2018, 07:16:15 AM »
new error when try to check client credit history, error loading on web:
Uh oh! Something went wrong ...
Exception: SQLSTATE[HY000]: General error: 1267 Illegal mix of collations (utf8_unicode_ci,IMPLICIT) and (utf8_general_ci,IMPLICIT) for operation '=' IN /home/admin/public_html/mysite.com/includes/modules/Site/clients/models/class.clientcredit_model.php(118), stack trace:
#0 /home/admin/public_html/mysite.com/includes/modules/Site/clients/models/class.clientcredit_model.php(118): PDOStatement->execute()
#1 /home/admin/public_html/mysite.com/includes/modules/Site/clientcredit/admin/class.clientcredit_controller.php(36): ClientCredit_Model->listCreditLog()
#2 /home/admin/public_html/mysite.com/hbf/core/class.controller.php(264): ClientCredit_Controller->_default()
#3 /home/admin/public_html/mysite.com/hbf/core/types/class.admin_frontcontroller.php(124): Controller::dispatchControl()
#4 /home/admin/public_html/mysite.com/hbf/core/class.frontcontroller.php(145): Admin_FrontController->dispatch()
#5 /home/admin/public_html/mysite.com/hbf/core/class.frontcontroller.php(125): FrontController->handleRequest()
#6 /home/admin/public_html/mysite.com/admini/index.php(24): FrontController::init()
#7 {main}


error log from admin area:

Exception: SQLSTATE[HY000]: General error: 1267 Illegal mix of collations (utf8_unicode_ci,IMPLICIT) and (utf8_general_ci,IMPLICIT) for operation '=' IN /home/admin/public_html/mysite.com/includes/modules/Site/clients/models/class.clientcredit_model.php(118), stack trace:
#0 /home/admin/public_html/mysite.com/includes/modules/Site/clients/models/class.clientcredit_model.php(118): PDOStatement->execute()
#1 /home/admin/public_html/mysite.com/includes/modules/Site/clientcredit/admin/class.clientcredit_controller.php(36): ClientCredit_Model->listCreditLog()
#2 /home/admin/public_html/mysite.com/hbf/core/class.controller.php(264): ClientCredit_Controller->_default()
#3 /home/admin/public_html/mysite.com/hbf/core/types/class.admin_frontcontroller.php(124): Controller::dispatchControl()
#4 /home/admin/public_html/mysite.com/hbf/core/class.frontcontroller.php(145): Admin_FrontController->dispatch()
#5 /home/admin/public_html/mysite.com/hbf/core/class.frontcontroller.php(125): FrontController->handleRequest()
#6 /home/admin/public_html/mysite.com/admini/index.php(24): FrontController::init()
#7 {main}

Offline d4f

  • 111
  • 5
  • Community Managers
  • Active Participant
  • ****
Re: Paypal TLS 1.2 problem
« Reply #12 on: July 02, 2018, 07:18:29 AM »
Before we continue, let me note that I do not approve of the way how you handle your client's security and your general approach to the most important piece of your administrative system - the billing system. Hoping for the best on an auto-update system by jumping two years is nearly as bad as not having run the auto-update for the 2 years in the first place.
Sorry for that rant, but I had to get it off my chest.

Hostbill updates are cumulative, meaning they include all prior changes from since auto-update was introduced. This means in *theory* that you can jump from any version to the newest version as it will apply the updates consecutively until it reaches the newest version. However that means that the version jump you ran through has never actually been tested and anything can have gone wrong. During the last two years some requirements (most significantly: PHP version) have changed.
Let's start there: how did you handle that your old version needed an another PHP version than the new version?

Offline andika

  • 144
  • -1
  • Active Participant
  • ****
Re: Paypal TLS 1.2 problem
« Reply #13 on: July 02, 2018, 08:15:03 AM »
Before we continue, let me note that I do not approve of the way how you handle your client's security and your general approach to the most important piece of your administrative system - the billing system. Hoping for the best on an auto-update system by jumping two years is nearly as bad as not having run the auto-update for the 2 years in the first place.
Sorry for that rant, but I had to get it off my chest.

Hostbill updates are cumulative, meaning they include all prior changes from since auto-update was introduced. This means in *theory* that you can jump from any version to the newest version as it will apply the updates consecutively until it reaches the newest version. However that means that the version jump you ran through has never actually been tested and anything can have gone wrong. During the last two years some requirements (most significantly: PHP version) have changed.
Let's start there: how did you handle that your old version needed an another PHP version than the new version?


I think that I found where the problem is, database have mixed content, newly added db tables by the update are InnoDB engine while my old once are     MyISAM. Also Collation is utf8_general_ci on new update while old once are     utf8_unicode_ci. I need to find a way to change them both at once, can you help me ? 
« Last Edit: July 02, 2018, 08:18:59 AM by andika »

Offline d4f

  • 111
  • 5
  • Community Managers
  • Active Participant
  • ****
Re: Paypal TLS 1.2 problem
« Reply #14 on: July 02, 2018, 09:08:52 AM »
To my knowledge you can't alter tables without committing the changes, so you never have synchronious conversion.
I would recommend setting your Hostbill to maintenance and doing it manually, but here are the SQL commands to alter tables:
Code: [Select]
ALTER TABLE t1 ENGINE = InnoDB;
ALTER TABLE <table_name> CONVERT TO CHARACTER SET utf8 COLLATE utf8_unicode_ci;

Note that some tables must be in MyISAM and some in INNODB. Attached is a list of how it should look like.
You can ignore the tables that do not start with hb_, they are from custom modules.