ActiveMerchant Poodle patch for PayPal

1
votes

I'm using Rails 3, ActiveMerchant 1.5.1 gem, and PayPal express. Since recently I can't get my payments work through PayPal, continue to receive this error

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

I believe this is related to PayPal response to Poodle. Is there any patch for ActiveMerchant to address these PayPal changes or the SSL 3.0 Vulnerability in general?

2
ruby-on-railssslpaypalactivemerchantpoodle-attack
Might be you need to change the SSL connection to TLS . You can find more info here regarding moving to TLS connections: ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/SSL/…Eshan
See the conversation here: github.com/Shopify/active_merchant/pull/1434Davidslv

2 Answers

4
votes

Thanks to Eshan I found that Net::Http can be forced to use specific protocol during connection. That's how I patched my version of ActiveMerchant

def configure_ssl(http)
  ...

  http.use_ssl = true

  http.ssl_version = :TLSv1  # poodle vulnarability fix

  ...
end

For those who have a newer version of ActiveMerchant, I think upgrading to the master, as suggested by Davidslv, should work.

1
votes

We are having the same problems, and we are looking into using the activemerchant from master branch instead of rubygems since there's a commit that "fixes" this.