♥Biancoblu Posted April 9, 2014 Share Posted April 9, 2014 Just a thought, due to the recent Heartbleed Bug it may be wise, for those that applied the excellent 2012 fix provided by @@Mort-lemur in this thread regarding paypal checkout confirmation, to update their OpenSSL certificate. However I read that the OpenSSL 0.9.8 branch, which was used in the fix provided by Heather, should NOT be vulnerable. I don't know if paypal checkout confirmation is still an issue in the newest Osc version, but for older versions it might be useful to consider. ~ Don't mistake my kindness for weakness ~ Link to comment Share on other sites More sharing options...
Mort-lemur Posted April 9, 2014 Share Posted April 9, 2014 You can also Check your server for vulnerability with these tools: http://filippo.io/Heartbleed/ and http://possible.lv/tools/hb/ Now running on a fully modded, Mobile Friendly 2.3.4 Store with the Excellent MTS installed - See my profile for the mods installed ..... So much thanks for all the help given along the way by forum members. Link to comment Share on other sites More sharing options...
burt Posted April 11, 2014 Share Posted April 11, 2014 Please note that this is not an osCommerce bug, but is a bug in the server software being used by your host. To check which version of OpenSSL is being used, go: admin > tools > server info This brings up a large page which has a lot of information about your site and server. Scroll down until you find: "SSL Version" Here you will see the exact version installed on the server. As far as I am aware versions of OpenSSL from 1.0.1 to 1.0.1f (inclusive) are problematic. If your server info page reports you as using one of these, you need to contact your host to ascertain if it has been patched or not. Link to comment Share on other sites More sharing options...
♥geoffreywalton Posted April 12, 2014 Share Posted April 12, 2014 Just to expand on the above What versions of the OpenSSL are affected? Status of different versions: OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable Bug was introduced to OpenSSL in December 2011 and has been out in the wild since OpenSSL release 1.0.1 on 14th of March 2012. OpenSSL 1.0.1g released on 7th of April 2014 fixes the bug. On one of my sites it shows shows OpenSSL Version OpenSSL 1.0.0-fips 29 Mar 2010 So in this case it isnot using one of the vunerable versions so nothing to do. If it was OpenSSL 1.0.1 through 1.0.1f (inclusive) I would be on the phone to my hosts. HTH G Need help installing add ons/contributions, cleaning a hacked site or a bespoke development, check my profile Virus Threat Scanner My Contributions Basic install answers. Click here for Contributions / Add Ons. UK your site. Site Move. Basic design info. For links mentioned in old answers that are no longer here follow this link Useful Threads. If this post was useful, click the Like This button over there ======>>>>>. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.