Jump to content

  • You cannot start a new topic
  • You cannot reply to this topic

Usps Dropping Support For Sslv3 Rate Topic   - - - - -

 
  • dsdewitt
  • Member
  • Members
  • Join Date: 19-Mar 09
  • 291 posts

Posted 15 November 2016 - 07:01 PM #1

 
I received the following message from USPS. What will I need to do to make sure we have no issues with getting shipping cost to our web site.  We are using cs-cart ver2.1.1
Thanks for any help,
David DeWitt
 

This message explains some security improvements planned for our services. Effective March 2017 (exact date to be determined), Web Tools will discontinue support of SSLv3 for securing connections to our HTTPS APIs including all shipping label and package pickup APIs. After this change, integrations leveraging SSLv3 will fail when attempting to access the APIs.

You are receiving this message because the Web Tools UserID associated with your email address has made HTTPS requests over the past year. It is possible that no changes are necessary to retain Web Tools services and benefit from the improvements. Please review the entire message carefully and share with your web developer, software vendor or IT service provider to determine if your use of the Web Tools APIs will be affected.If you have already updated your security certificates please disregard this message. If you are not sure if any changes are necessary, please ask your IT service provider.

 

Background: Security research published in recent years demonstrated that SSLv3 contained weaknesses that limited its ability to protect and secure communications. These weaknesses have been addressed in the replacement for SSL, Transport Layer Security (TLS). Since then, major browser software vendors have been disabling support for SSLv3 and their work is largely complete. Consistent with our priority to protect USPS Web Tools customers, Web Tools will only support versions of the more modern TLS rather than SSLv3.

Contact us at WebTools@usps.gov with any questions or concerns.

 


David DeWitt
retail site ver. 2.1.1

 
  • gleb.goncharov
  • CS-Cart Expert
  • Authorized Reseller
  • Join Date: 04-Oct 13
  • 351 posts

Posted 16 November 2016 - 07:22 AM #2

Hello,

 

You should make sure that CS-Cart 2.x core and necessary add-ons don't have hardcoded constants on curl_setopt calls, forcing to use SSLv3 instead of TLS 1.x. Also you should check the version of cURL PHP extension and how it was compiled with OpenSSL (what version of OpenSSL do you use?). Ask your hosting provider to check it for you.



 
  • dsdewitt
  • Member
  • Members
  • Join Date: 19-Mar 09
  • 291 posts

Posted 15 March 2017 - 08:17 PM #3

Hello,

 

You should make sure that CS-Cart 2.x core and necessary add-ons don't have hardcoded constants on curl_setopt calls, forcing to use SSLv3 instead of TLS 1.x. Also you should check the version of cURL PHP extension and how it was compiled with OpenSSL (what version of OpenSSL do you use?). Ask your hosting provider to check it for you.

Sorry for the late reply.  To date USPS is still working.

Well now you are getting beyond my knowledge.  Can you give me more explicit instruction on what to check.

 

David DeWitt


David DeWitt
retail site ver. 2.1.1