search

activemerchant / active_merchant

Active Merchant is a simple payment abstraction library extracted from Shopify. The aim of the project is to feel natural to Ruby users and to abstract as many parts as possible away from the user to offer a consistent interface across all supported gateways.
http://activemerchant.org
MIT License
4.54k stars 2.5k forks source link

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed) On production server #1907

Closed bipashant closed 7 years ago

bipashant commented 9 years ago

I know there are lots of discussion regarding this error but sorry to say that I'm unable to find any working solution over there. I'm developing a ecommerce site using ShareTribe(https://github.com/sharetribe/sharetribe). I'm trying to implement Paypal as payment gateway.

Everything works fine on development machine but when I deploy my rails app to production It throws

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed)

I'm initializing my Activemerchant as

config.after_initialize do ActiveMerchant::Billing::Base.mode = :test paypal_options = { login: "bla bla", password: "bla bla", signature: "bla bla", appid: "APP-80W284485P519543T" } ::EXPRESS_GATEWAY = ActiveMerchant::Billing::PaypalExpressGateway.new(paypal_options)

end

After googling, I found that SSLv3 was proven to be insecure with the POODLE vulnerability. You should make sure that your system has the latest version of OpenSSL so that you can use TLSv1.2. So Is there any woking solution for this.Any suggestion will be appreciated.

Update

solution

I solved the problem, after lots of research, finally able to solve this.

I added the line OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE in my initializer.

ntalbott commented 9 years ago

@bipashant what version of Ruby and OpenSSL are you using in production?

bipashant commented 9 years ago

@ntalbott I'm using OpenSSL 1.0.1e-fips 11 Feb 2013 and ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-linux]

bipashant commented 9 years ago

@ntalbott Do I need to have HTTPS on my server side In order to call PAYPAL sandbox API?

Ritesh-patel commented 9 years ago

Hi @ntalbott

I'm facing same issue for paypal gateway. 

ActiveMerchant::Billing::PaypalGateway.new(
    :login => 'test@foo.com',
    :password => 'foofoo',
    :signature => 'signature'
)

I'm using ruby 2.1.6p336 (2015-04-13 revision 50298) [x86_64-linux] and OpenSSL 1.0.2d 9 Jul 2015.

bipashant commented 9 years ago

@Ritesh-patel , Is this on production?

Ritesh-patel commented 9 years ago

yes, it's on production.

bipashant commented 9 years ago

Are you using HTTPS?

Ritesh-patel commented 9 years ago

No, not using HTTPS.

bipashant commented 9 years ago

same here.

ntalbott commented 9 years ago

@bipashant @Ritesh-patel what version of ActiveMerchant are you using?

Ritesh-patel commented 9 years ago

@ntalbott I'm using ActiveMerchant 1.32.1.

bipashant commented 9 years ago

@ntalbott Sorry for belated reply I'm using activemerchant (1.53.0) I added the HTTPS and disabled SSLV3

Please find details explation here

http://stackoverflow.com/questions/33359960/opensslsslsslerror-ssl-connect-returned-1-errno-0-state-sslv3-read-server-c

bipashant commented 8 years ago

@ntalbott I'm still facing the problem.

bipashant commented 8 years ago

@ntalbott and @Ritesh-patel I solved the problem, after lots of research, finally able to solve this.

I added the line OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE in my initializer.

ntalbott commented 8 years ago

It's your call, but setting VERIFY_PEER to NONE is basically equivalent to disabling TLS altogether and connecting over plaintext HTTP. It makes man in the middle attacks trivial, and will not pass a PCI audit.

On Tuesday, November 17, 2015, Bibek Sharma Chapagain < notifications@github.com> wrote:

@ntalbott https://github.com/ntalbott and @Ritesh-patel https://github.com/Ritesh-patel I solved the problem, after lots of research, finally able to solve this.

I added the line OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE in my initializer.

— Reply to this email directly or view it on GitHub https://github.com/activemerchant/active_merchant/issues/1907#issuecomment-157345555 .

Nathaniel

bipashant commented 8 years ago

ohh Is it? I just knew about this. Thanks a lot. So what is the best way to fix this @ntalbott .

ntalbott commented 8 years ago

The OpenSSL version you're compiled against is pretty old. I'd start by upgrading that.

On Tuesday, November 17, 2015, Bibek Sharma Chapagain < notifications@github.com> wrote:

ohh Is it? I just knew about this. Thanks a lot. So what is the best way to fix this @ntalbott https://github.com/ntalbott .

— Reply to this email directly or view it on GitHub https://github.com/activemerchant/active_merchant/issues/1907#issuecomment-157600213 .

Nathaniel

m-nasser commented 8 years ago

can you please state which version of activemerchant and active_utils you're using ?

bipashant commented 8 years ago

activemerchant (1.53.0) but I didn't find any gem/dependency named "active_utils"

rgagnon commented 8 years ago

I'm facing this issue on paypal sandbox. ActiveMerchant is returning me this : The SSL connection to the remote server could not be established

on : OpenSSL 1.0.1g 7 Apr 2014 built on: Tue Apr 8 09:07:07 CEST 2014 platform: linux-x86_64

Any idea?

ntalbott commented 8 years ago

@rgagnon you've got an almost 2-year-old version of OpenSSL there - I'd start by upgrading it.

rgagnon commented 8 years ago

Humm, ok I thought it was the latest. I'll try it thanks

rgagnon commented 8 years ago

I'm sorry, yes that was not the latest version at all :-/

It works now

Thank you

davidsantoso commented 7 years ago

Closing due to inactivity.

AkashMartin1 commented 6 years ago

If i just replace certificate with newer version

it works, but don't know what would be negative effect.

OR RE: https://github.com/activemerchant/active_merchant/issues/1643#issuecomment-142803421

Thanks