Hello,
The biggest spanish payment gateway provider RedSys (servired) is changing the security standards. New changes will be applied from November 23, 2015.
Signature SHA-1 will not be supported anymore after this date.
Does anybody have updated version of RedSys (servired) processor?
Thanks
That requirment is a function of your server, not cs-carrt.
I'm also interested in the update to this, I've already asked cs cart help desk for a solution and I'm waiting for an update as we only have untill November 23th to update it.
That requirment is a function of your server, not cs-carrt.
As far as I can see in the code of the servired.php payment processor, current integration uses sha-1 algorithm. So the code should be changed.
sok777, post the issue to the bug tracker. It can be missed on the community forum
I posted the issue in the bug tracker. Hope we get updated servired.php soon. It effects all versions of CS CART
That requirment is a function of your server, not cs-carrt.
It has nothing to do with a server in this case. servired.php has to be updated in order to work properly after 23 of November 2015.
Okay, you're right. They are doing their own hashing rather than just relying on HTTPS.
So the question is what is the method the provider expects to use? The fix is very simple once you know what they want/expect and I'm guessing there is a different URL to use based on which hash method you are using (unless they try both on their end). I.e. you will probably have to change this line too:
$post_address = ($processor_data['processor_params']['test'] == 'Y') ? "https://sis-t.sermepa.es:25443/sis/realizarPago" : "https://sis.sermepa.es/sis/realizarPago";
If they expect you to be using sha256, then find instances of sha1($string) and change them to hash('sha256', $string) and you should be good to go. But it would be better to review their entire specification rather than just trying to change something on the fly and expect it to work properly.
Excerpt from PHP sha1() man page:
Note that the sha1 algorithm has been compromised and is no longer being used by government agencies.
As of PHP 5.1.2 a new set of hashing functions are available.
http://www.php.net/manual/en/function.hash.php
The new function hash() supports a new range of hashing methods.
echo hash('sha256', 'The quick brown fox jumped over the lazy dog.');
It is recommended that developers start to future proof their applications by using the stronger sha-2, hashing methods such as sha256, sha384, sha512 or better.
As of PHP 5.1.2 hash_algos() returns an array of system specific or registered hashing algorithms methods that are available to PHP.
print_r(hash_algos());
I'm also interested in it.
A partir de 23 de noviembre deja de funcionar.
I went to look into this for you but their pages don't translate to English and I'm guessing the manuals are not in English either....
I'm also interested in it.
A partir de 23 de noviembre deja de funcionar.
Post it to the bug tracker. I think that CS-Cart team should care of it
Just in case... bug tracker issue ID #006091.
i am not sure about translation but Redsys made the update for the "main" platforms: Magento, Opencart, Prestashop, etc
Okay, you're right. They are doing their own hashing rather than just relying on HTTPS.
So the question is what is the method the provider expects to use? The fix is very simple once you know what they want/expect and I'm guessing there is a different URL to use based on which hash method you are using (unless they try both on their end). I.e. you will probably have to change this line too:
$post_address = ($processor_data['processor_params']['test'] == 'Y') ? "https://sis-t.sermepa.es:25443/sis/realizarPago" : "https://sis.sermepa.es/sis/realizarPago";If they expect you to be using sha256, then find instances of sha1($string) and change them to hash('sha256', $string) and you should be good to go. But it would be better to review their entire specification rather than just trying to change something on the fly and expect it to work properly.
Excerpt from PHP sha1() man page:
Yes, looks like that they want SHA256. No manual in English so far.
I will try your method after 23/11/2015.
Thanks.
Hi.
I also posted a message in cs-cart's communication system. As all of you, I am very interested in a reliable solution to this issue.
My message got this reply this morning:
Thank you for your message.
We really appreciate your help in this matter. I have forwarded this information to our developers. I would like to draw your attention to the fact that they are working on this issue and we will contact you as soon as we get any results from them.
Regards,
Hi,
Just as a follow up, I had this answer from Cs-Cart team today:
We are glad to inform you that our engineers are already working on this issue and the solution is on the testing stage. Most probably, the fix will be ready within the next week.
It will let us very few time to move on to test on real stores, but hopefully the script will be OK...
Regards,
Has anyone had any news on this update? the change is in 3 days...
Has anyone had any news on this update? the change is in 3 days...
Please check
http://forum.cs-cart.com/tracker/issue-6091-new-redsys-security-requirements/?gopid=23812#entry23812
Hi,
I've received this morning the packages for the update. I am performing some basic checks now.
The files are the same as the ones in the link eComLabs has just posted.
Hope everything is OK!
Thank you, They just sent me the files, but my cs cart version is the 2.0.6 and the fixes only start at the 2.2 versions...
Thank you, They just sent me the files, but my cs cart version is the 2.0.6 and the fixes only start at the 2.2 versions...
Please contact CS-Cart support team. Hope they will help you.
Cs cart support team tells me that 2.2 version files are compatible and "OpenSSL does not affect the Servired payment method. So there is no need to check version of OpenSSL on the server."
So, my fingers are crossed.
Hello,
Has anybody tried version 2.2 - 3.0? Does it work? I made everything as per instructions but seems like it does not work properly or something is wrong. After you press the button "Confirm the order" it sais "Proceeding with the payment, please wait" and it never takes you to the following page of Servired. The php version 5.3.3. in this case.
What could be the problem?
Thanks
Hello,
Has anybody tried version 2.2 - 3.0? Does it work? I made everything as per instructions but seems like it does not work properly or something is wrong. After you press the button "Confirm the order" it sais "Proceeding with the payment, please wait" and it never takes you to the following page of Servired. The php version 5.3.3. in this case.
What could be the problem?
Thanks
The problem requires examination on your server. Please contact us via Customer Help Desk and provide temporary access to your server by clicking on the Add record link on the Access information page of your Help Desk account so that we could examine the issue.