POODLE Caused PayPal To Discontinue Support For SSL 3.0

Posted bySaurin Dashadia Leave a comment on POODLE Caused PayPal To Discontinue Support For SSL 3.0

As of December 3, 2014 at 12:01 a.m. Pacific Standard Time (PST), PayPal has discontinued support to the Secure Socket Layer version 3 (SSL v3.0) to help keep customers’ accounts secure from the POODLE vulnerability. However PayPal has figured out a short-term solution, that will allow PayPal to extend the SSL v3.0 support to most merchants and that too until January 12, 2015 at 12.01 a.m. PST.

PayPal is well aware of the compatibility issues going to arise with the shutting off SSL 3.0 and is still identifying possible issues that may arise due this decision.

Will this affect to you?

If you are an independent developer or online service provider or whatever you are doing from the furthest corner of the world. If you have integrated PayPal as your online payment solution or providing PayPal integration as a service, you should pay attention.

Consider 3 simple steps from PayPal Merchant Response Guide

1. Test your current integration against the PayPal Sandbox
Simplest way to identify if you are using SSL v3.0 is to check your current integration with PayPal Sandbox. SSL 3.0 has already been disabled on the PayPal Sandbox, so if you can successfully make an application programming interface (API) request you are not using SSL 3.0. If your request fails, check your logs, if you see an error similar to those shown below, then you are using SSL v3.0 and will need to configure your secure connection to use Transport Layer Security (TLS).

Unknown SSL protocol error in connection to api-3t.sandbox.paypal.com:- 9824

Or

140062736746144:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
…
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol: SSLv3
…

2. Update to TLS
All PayPal integration which use SSL v3.0 for client interaction required to disable SSL v3.0 and upgrade to TLS. You will find detailed upgrade instruction for SDK and language here.

As per details from PayPal, No current Software Development Kit (SDK) versions use SSL 3.0. However, since the Java and PHP SDKs were recently updated to address this issue, all merchants using these SDKs or legacy SDKs (older than October 21, 2014) will need to update to the latest version.

3. Issue new credentials
As per PayPal this step is strongly recommended, but not required.

If you are using Certificate authentication, no action is required because the vulnerability is in the SSL v3.0 protocol and not in the design of the SSL Certificates

If you are using Signature authentication, see here.

If you are using OAuth authentication, see here.

For more details please visit PayPal MTS

Further reading:
https://devblog.paypal.com/poodle-ssl-3-0-vulnerability/

Leave a comment

Your email address will not be published. Required fields are marked *