Read carefully. Paypal is ceasing to support the sslv3 protocol, affecting 80% of the currently installed Paypal modules for Prestashop. Here is how to fix it before it breaks!
On October 14, 2014, a bug has been found in the SSL 3.0 (Secure Sockets Layer) cryptography protocol. This vulnerability, even though timely addressed, could have potentially exposed sensible data to anyone able to intercept it when sent between computers and servers.
Paypal has therefore decided to completely cease supporting the SSLv3 protocol starting this December 3, 2014. If you use both Paypal and Prestashop, you might have got an email reading “Immediate action required” by paypal itself, detailing what I just mentioned.
The substance is everyone currently running a Paypal Module (Europe) for Prestashop MUST update or fix it before that date in order to continue accepting payments with Paypal. The Prestashop team already came up with an updated version of it, but you might not want to upgrade the full module at the risk of breaking it completely (as it often happens). Here is what can be done, including updating, to make the transition as less painful as possible.
I didn’t check myself, but the module’s developer guarantees versions prior to 2.8.6 are not affected. Thus, if you are still using one of the older versions, you can rest peacefully between two pillows. Also, it “seems” the Paypal USA module is not affected, though it’s not been confirmed yet (I will update about it as soon as I know more)
Before doing anything, make sure you backup your current paypal tables in the database, and paypal module files.
Simple update to version 3.8.0
That said, if you want to go for the full update (easiest way, but risky as with all updates), you can find the latest version of the Paypal Europe module here: Paypal Module for Prestashop.
Download the fixed file for your version – Last Updated November 19
Being asked to fix several versions of the module, I added the modification to a couple of them and zipped them up in an archive you can download below (constantly updated). The affected file is /modules/paypal/api/paypal_connect.php if your version is newer than 3.0.9, and /modules/paypal/api/paypalconnect.php if older.
Therefore, if you are not a developer and have the minimum knowledge on how to use an FTP client, but not enough to deal with PHP, you can use this method instead of plugging in the fix yourself.
Only use this if you never touched the paypal_connect.php file! What to do with this archive?
- 1. Open it, and grab the folder labeled as your paypal module version
- 2. If your version is not there, send me an email with your own, original paypal_connect.php file (or without underscore for older versions). I will add the fix and update the archive the sooner
- 3. Simply replace the original file. By reaching /modules/paypal/api/.
Apply the fix yourself
Fixing the API file is quite easy if you have a basic PHP knowledge. Many thanks to Tomer from Presto-Changeo for clarifying the fix procedure.
To do it, open up/modules/paypal/api/paypal_connect.php (or, onhce more the non-underscored version). Locate the following:
@curl_setopt($ch, CURLOPT_SSLVERSION, 3);
Comment it out, or delete it.
$fp = @fsockopen('sslv3://'.$host, 443, $errno, $errstr, 4);
And change it to
$fp = @fsockopen('tls://'.$host, 443, $errno, $errstr, 4);
Done! Save and upload.
Important! Test the fix!
Never to stress it enough, make sure you test the Paypal module still works after this! In fact, chances are you might bump into the following
What do to if so? As stated in the original Forum thread, add the following
echo "<pre>";print_r($this->_logs);echo "</pre>";
To the fixed file, right before
This should give you more info about what is going on.
Whether it will work or not, make sure you actively follow the Official Paypal Module Board on the Prestashop Forums, as we might get more info as we approach the deadline.
Keep up with my blog as well! I will be updating the downloadable zip file as soon as I am sent versions of the module I don’t currently have.
Also, please share this and spread the word so to warn as many merchants as possible!