PSIGate and Unknown Protocol Error

[dgbaker]

Hey all;

 

I am hoping someone (maybe a linux guru?) can help me out with this urgent issue. I have a ticket open but still can't get this resolved.

 

Here is the issue, our PSIGate gateway module died the other night with the following error:

Error => 1035

Error Message => error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

 

We have tried the solutions from support for updating a broken openssl that was said to fix this issue. Well, in our case it has not fixed it.

 

We have the latest openssl installed;

rpm -qa |grep openssl

openssl-devel-1.0.1e-16.el6_5.x86_64

openssl-1.0.1e-16.el6_5.x86_64

 

Openssl connects to PSIGate without issue.

 

openssl s_client -connect secure.psigate.com:443 -state

 

Verify return code: 0 (ok)

 

Yet when we run a credit card through PSIGate we get the same error as above. We've spoke with PSIGate support and they do not even see a connection attempt from us so we know it has to do something on our end.

 

 

Anyone out there have any thoughts on getting this working again? As it stands we are kinda dead as a company if we cannot process credit card payments.

 

As an addon to this, one of our other servers (exact same setup O/S and all) we have a client using whmcs and netbilling and it works fine.

 

Thanks for any help or suggestions.

 

David

[AnnoStephen]

We just ran into the exact same error TODAY! All PSIGate payments are failing with the SSL error you mentioned. We are still on version 5.2.12, how about you David?

 

I will contact PSIGate support too, continue my research and post back here when I know more.

[dgbaker]

We were on 5.2.12 and just upgraded to 5.2.14 and still same issue. At least I know we aren't alone.

[AnnoStephen]

David, I sent you a PM with a possible interim solution.

[AnnoStephen]

PSIGate Support suggests we add the following line to the code in modules/gateways/psigate.php:

curl_setopt($ch, CURLOPT_SSLVERSION, 1);

 

I have run some tests, and confirm that communication with PSIGate server works with this line, and fails without.

 

This seems more than just a coincidence to me; independent WHMCS installations running into the same problem on the same day. I suspect that something has changed on PSIGate's side with respect supported protocols. In other words, I believe this is NOT a WHMCS bug, but we do need the WHMCS dev team to work around the problem. I have now opened a ticket requesting addition of the above code.

 

I will post an update when I have more information.

[AnnoStephen]

WHMCS Support has indicated that there is a good probability that the error is due to a bug in a recent OpenSSL upgrade in CentOS 6.5. I tend to agree with them.

[dgbaker]

Nope cause this works fine.

 

openssl s_client -connect secure.psigate.com:443 -state

 

Verify return code: 0 (ok)

[AnnoStephen]

I agree -- I have downgraded OpenSSL from version 1.0.1e-16.el6_5 to 1.0.1e-15.el6 and get the exact same behaviour. Are you on CentOS 6.5 too?

 

I have received no further news from PSIGate support yet.

[dgbaker]

I am indeed on 6.5, done the whole upgrade/downgrade of openssl as well. WHMCS support basically not helping either and just keeps saying it's an O/S issue even though I have shown that we are using the latest openssl patch and still having the issue. The fact other gateway modules are not effected (like netbilling, paypal etc...) says that there is code specific in psigate that they should be looking at.

 

I am not happy with WHMCS support cause they seem to be unwilling to help their clients even with work-arounds nor updating the software to work with 6.5 properly.

 

P.S. I replied to your PM thanks.

[rlservices]

I'm also on CentOS 6.5 and same issues! I opened a ticket but now seeing this thread I guess i'll have to wait!

[AnnoStephen]

At this time I can only guess about the cause. I would really appreciate a work-around from the WHCMS team; but nothing concrete from them so far.

[WHMCS Lawrence]

[Removed workaround as there have been reports of SSH issues after implementing it]

Edited January 6, 2014 by WHMCS Lawrence
workaround causes issues for SSH

[AnnoStephen]

The procedure posted above by Lawrence worked for us. Thank you!

[AnnoStephen]

HOLD YOUR HORSES! The suggested update broke some PHP scripts and (critical!) SSH access. Maybe just our server, but please proceed with caution.

Edited December 10, 2013 by AnnoStephen

[dgbaker]

What I don't understand is why not make the extremely simple change to psigate.php instead of screwing around with the O/S which as Stephen has just shown can cause way more issues with other software. As I stated in a ticket, it is WHMCS responsibility to ensure THEIR software works. I will say this is not the way WHMCS staff used to be, not sure why they have become so closed minded especially since PSIGate themselves have handed you a simple solution.

[AnnoStephen]

I have mixed feelings about the WHMCS dev team's reluctance to help. On the one side, I can see that they need to focus on the development of the core product and cannot possibly respond to every possible problem scenario. The flip-side, however, this is a serious issue affecting business for multiple users (at least three of us, gauging by this forum), so one could reasonably expect help. Lawrence has gone out of his way to try find a solution, but ultimately he is just between a rock (us nagging users) and a hard place (an uncooperative dev team).

 

I should have known that a workaround would not be forthcoming from the WHMCS dev team. Some recent bugs (introduced by the security updates) got fixed within days and other things not at all. (The cron currency exchange updater has not worked for months now!) If that is is the case for the core system, only a fool (such as me) would hope for a code change to address some obscure problem like this one.

 

If it was a simple thing to switch to another system, we would have been out of here weeks ago. Fact is that we have become very reliant on WHMCS and are learning to take the good with the bad.

 

I remember when support for cPanel suddenly became hard to access a couple of years ago, but that was exactly when they got their crap together and started building a better system. Hopefully the same is true for WHMCS!

[dgbaker]

Well said Stephen and couldn't agree more. As a cPanel forum Moderator (although not active for quite some time) I remember the days when support their was awesome. I am in no way though blaming front line support here, and yes it is the developers that need to listen. I can accept them not making a change if it was something silly or cosmetic, but when it is an issue that basically cripples their software for some of their customers this should be a higher concern that should be addressed in the software. PSIGate users are basically crippled from using this software without a true fix. I know I will be more actively looking at alternative software as a recourse to this issue and future.

[ithosts]

Hello. I am having the very same issue. My support team has explicitly warned against downgrading OpenSSL.

Psigate has provided a fix but I can't have it implemented. How can I do business without being able to process credit cards?

[WHMCS Lawrence]

Well said Stephen and couldn't agree more. As a cPanel forum Moderator (although not active for quite some time) I remember the days when support their was awesome. I am in no way though blaming front line support here, and yes it is the developers that need to listen. I can accept them not making a change if it was something silly or cosmetic, but when it is an issue that basically cripples their software for some of their customers this should be a higher concern that should be addressed in the software. PSIGate users are basically crippled from using this software without a true fix. I know I will be more actively looking at alternative software as a recourse to this issue and future.

 

The main issue here is that this is a bug solely in the RedHat-modified version of OpenSSL that is being shipped particularly with CentOS 6.5. Given how Red Hat tends to modify libraries with backports from newer versions and other changes, this appears to be due to a change they introduced. Due to the abstract nature of how we use cURL in WHMCS (using a wrapper function instead of calling it directly where needed), a change such as the one PSIGate support has been giving their customers could have unintended affects on other modules that depend upon cURL. Regrettably, this is a very corner case issue and it is ultimately up to Red Hat/CentOS to issue an update that fixes the bug they introduced.

[ithosts]

Here's the issue I have now.

 

After listening to suggestions from WHMCS on how the problem was "a server issue based on CentOs 6.5 + OpenSSL", I became desperate.

 

With no-one able to offer a true solution, I asked WHMCS support if I switched to a new server running CentOs 5 if this would solve the issue. They assured me this would indeed fix the problem.

 

So, last night, I paid for a new domain, migration and testing to ensure that my domain was all working. I then modified the nameservers to point to the new dedicated ip on the new server.

 

I update my WHMCS license on the new server ip, so far all is fine. I goto my process CC link and voila! NO DIFFERENCE.

 

I get the exact same error as before! If the issue is indeed because of CentOS 6.5, why does it not work still?

[ithosts]

Here is WHMCS tech support reply

"Our users have been discussing the issue in this forum thread: http://forum.whmcs.com/showthread.php?82655

There are some suggestions there for server configurations you might try that could resolve the issue.

 

If we can be of any more assistance, please don't hesitate to get back in contact."

 

Has any user out there found a true solution? Moving to a different OS did not help me at all. I am not getting any support from software support and I really need to get this done.

[LifelineDesign]

The server fix is not usable.... it breaks SSH.

 

Can we please have a modified psigate.php file until CentOS patches?

 

I'd do it myself, but the file is encrypted

 

Thanks,

Dave

[WHMCS Lawrence]

Here's the issue I have now.

 

After listening to suggestions from WHMCS on how the problem was "a server issue based on CentOs 6.5 + OpenSSL", I became desperate.

 

With no-one able to offer a true solution, I asked WHMCS support if I switched to a new server running CentOs 5 if this would solve the issue. They assured me this would indeed fix the problem.

 

So, last night, I paid for a new domain, migration and testing to ensure that my domain was all working. I then modified the nameservers to point to the new dedicated ip on the new server.

 

I update my WHMCS license on the new server ip, so far all is fine. I goto my process CC link and voila! NO DIFFERENCE.

 

I get the exact same error as before! If the issue is indeed because of CentOS 6.5, why does it not work still?

 

Switching to a server running CentOS 5.x has been confirmed to resolve this issue, so it is likely something else is at play here that is unrelated to the OpenSSL bug in CentOS 6.5

[milezteg]

Signed up to this forum as I am now desperate for a solution. I am not a whmcs user but use a shopping cart called OpenCart. I moved to a new server today (Debian 7.4) with OpenSSL 1.0.1e. I am getting the same errors you guys are getting when processing CCs with psigate: SSL23_GET_SERVER_HELLO:unknown protocol

 

I tried adding the line: curl_setopt($ch, CURLOPT_SSLVERSION, 1);

 

No dice! I found it strange because when I use curl from my server to connect to psigate's processor AND force SSLv1 I manage to get through the handshake:

 

# curl -sslv1 https://dev.psigate.com:7989/Messenger/XMLMessenger -verbose
* About to connect() to dev.psigate.com port 7989 (#0)
*   Trying 216.220.59.211...
* connected
* Connected to dev.psigate.com (216.220.59.211) port 7989 (#0)
* successfully set certificate verify locations:
*   CAfile: none
 CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-MD5

 

Anyways, REALLY hoping someone out there has a solution as I've got no response yet from psigate and unable to process credit cards

[twshosting]

I have the same error after update whmcs . always error : Error Message => error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

Psigate Module don't work now and any of our client can pay with his credit card. Please if some one fixed this problem please let me know how or suggest to me a solution .

 

Thank you