Poodle SSL 3 0 Vulnerability - all our transactions are failing as of this morning (PayPal Payments Pro)

In case anyone else is having this problem, all of our transactions started failing this morning.

We contacted PayPal and Cardinal Commerce and Cardinal Commerce were first back in touch which the following information:
"We recently, this morning, disabled any incoming traffic that uses SSL v. 3.0 protocol due to the POODLE vulnerability. From a SSL certificate standpoint, can you confirm that you are not using SSL v. 3.0? You may need to check with your host server if you do not know."

On the PayPal website they seem to have some important information about the POODLE vulnerability:
https://ppmts.custhelp.com/app/answers/detail/a_id/1182

So I'm assuming that this is what the problem is. I'm also assuming that this will have to be changed by WebAssist.
Hope you can help with this. Anyway, just a heads up for anyone else experiencing issues.

NJ

We do not set the protocol to use for sending the transaction to PayPal through cURL, this means it will use the hosts default protocol.

The Poodle vulnerability will only encountered if your host has SSLV3 s3et as the default protocol for cURL communications.

you should have your host disable SSLv3 for the cURL library and set TLS as the fall back.

more information on the Poodle vulnerability can be found here:
http://chrisburgess.com.au/how-to-test-for-the-sslv3-poodle-vulnerability/

To get information on the cause of the failure, add the following in the body section of the failure page:

<?php @session_start(); var_dump($_SESSION); ?>

this will write the session contents to the page including the gateways response. the gateways response will contain information on why the transaction failed.

Sorry to rain on your parade Jason but Ray had to make changes to our website last night because there is a section within the eCart code that specifies SSL3. This was relating to integration with Cardinal Commerce where you have 3D Secure or SecureCode security checks on Visa and Mastercard transactions.

You also need to disable SSLv3 for the cURL library though, as you've said.

Can I also advise caution when adding <?php @session_start(); var_dump($_SESSION); ?> to your failure page. This exposes all of the card details on screen and we had a client forward a screenshot of the failure which, of course, contained all their card details! :(

Thank you.
NJ

The cardinal commerce and 3d secure implementation is custom coding that is not standard in eCart.

The code that Ray had to edit is not standard eCart code, it was custom coding that he created trough Premiere support for site.

as for the var_dump, it is not intended to be left in place, but as a temporary troubleshooting tool.

Yes, but I was highlighting the issue because I'm surely not the only WebAssist customer to use this...right? :(

Temporary or not, the users payment details are exposed on screen and it's not something that pleases them, let me tell you! ;)

NJ

My answer to the Poodle question was based on standard eCart coding.

your implementation is not standard. I can't speak to non standard coding. I can only base my answer here in the forum on the standard coding.

if you prefer not to use var dup, see this tutorial:
http://www.webassist.com/tutorials/Debug-eCart-transaction-failures