PSIGate and Unknown Protocol Error

[twshosting]

Hi all,

 

It was my serious problem with psigate and centos 6.5 , so problem has been confirmed really. and only centos 5.X will be fonctionnel with psigate

[twshosting]

This is the answer from psigate support will be help the developper of psigate module :

“Force TLS1.0 by adding curl_setopt($ch, CURLOPT_SSLVERSION, 1); into our php part, which then FORCES to connect in TLS1.0 ... “

 

In my side problem has been fixed with centos 5.x

[dilitalo]

We have just upgraded server and are running into the same problem. Has anybody fixed this? What are the steps? Please help.

 

Thanks in advance

[apollo1]

I was considering signing up for PSIGate and am pretty discouraged by this thread.

 

WHMCS - per the post from twshosting has this been applied? I am one of the users paying yearly support, are you guys not going to fix this? It's already 06-04-2014.

[H8R]

Yeah I ran into the same issue. Haven't been able to process cards since upgrading to Debian 7.

 

WHMCS is unwilling to make the simple software change to force it to TLS 1.0.

 

Unless you want to write your own module, apollo1, then forget it. I now have to build a CentOS 5 box to run WHMC's shitty PSIGate module.

 

I am not staying with WHMCS for very long, after being a customer for over two years. After all the security BS, this is the final straw.

[WHMCS John]

Hi,

The development team investigated this at the time, and unfortunately it's not something we can resolve at our end. For maximum compatibility with the widest range of server configurations, we have contacted PsiGate and suggested they enable TLS 1.1. and 1.2 support at their end.

[apollo1]

Thanks John for the update. Well hopefully PsiGate considers this suggestion, otherwise they stand to lose new business from signups who want to use their service with WHMCS.

[mrl14]

I am now getting this error:

 

Error => 1052

Error Message => Empty reply from server

 

We need a fix or to open source the plugin.

[scottosm]

Sadly, I'm now hit with this same issue, I'm getting:

 

Error => 1052

Error Message => Empty reply from server

 

The server admins and WHMCS support staff are indicating that psigate needs to update their protocol to support more than just TLS 1.0. Not getting much luck there with psigate.

 

My understanding is that TLS 1.0 is a very old and insecure protocol from 1999.

 

Anyone able to get this fixed on their own via server settings or anything?

[DSN]

I just got off the phone with PSIGate about this issue. There are a number of ways that WHMCS could take 30 seconds to solve this issue:

 

1. Add this code to the psigate.php module:

curl_setopt($ch, CURLOPT_SSLVERSION, 1);

 

2. Point the XML to a new cart they have setup that uses SSL3. Same address but on a different port. Port 17934

 

These are two options in the hands of WHMCS that can be done 'today' to fix all the issues.

 

I am submitting a ticket on the same information and urging for the 5 minutes of attention to be paid to this that it deserves.

[ifacto]

I am also having the 1052 issue. I need to keep PHP 5.3 as it works, but I can't upgrade to PHP 5.4 because of this. I opened a ticket on September 1st about this but was thinking it was related to my setup and they said to contact PSiGate. I will reopen it to ask for the fix above.

[ifacto]

Hello all,

 

WHMCS provided me a fix to the 1052 issue with the solution of DSN by using SSL v3 port. I confirm that it fixes the issue I had with PHP 5.4 and Windows Server (for my case).

 

This update has not gone through entire testing but if you want to try using it, ask WHMCS about fix for case #4616.

 

Thank you!

[mrl14]

I'm bringing this back up - If you run a version of curl newer than 7.24.0, connecting to the live PSIGate environment will fail. You'll receive "Empty reply from server".

 

For example, running curl 7.38.0, connecting to the test server works fine, connecting to live results in the above error. PSIgate is making some mandatory switch later this month to turn of SSLv3 and we need to get to the bottom of this ASAP. Please provide a fix.

[ifacto]

Hello mrl14,

 

I received the email about the change from PSiGate at the end of June. Did you contact them to know if the protocols TLS 1.X are enabled on the port 17434 presently configured in WHMCS or we must use new ports (ie 7989/17989) ? I think I will contact them because their email wasn't clear about this.

 

For example, running curl 7.38.0, connecting to the test server works fine, connecting to live results in the above error. PSIgate is making some mandatory switch later this month to turn of SSLv3 and we need to get to the bottom of this ASAP. Please provide a fix.

 

Which test servers are you refering about that works and which live servers?

 

Thank you.

[mrl14]

Hi,

 

Connecting to PSIGate's test service which only accepts TLS 1 works, connecting to the current live server fails. Maybe it only accepts SSLv3 and Curl 7.38 doesn't allow SSLv3? I'm still working on this and PSIGate's service is very slow. This is a huge concern for us as I'm sure once people upgrade CURL all transactions will fail.

[ifacto]

Hello,

 

They are using a firewall that block some ciphers, so it's the reason that we had to replace the port to 17934 some months ago, which doesn't block new ciphers (as a workaround). The standard port is restricted to some older ciphers.

 

Presently, they are using only SSL 3.0 and TLS 1.0 as protocols for production, but maybe the test environment is already updated with new procotols, so it can explain why you are connecting successfully.

 

After the change, they will allow only TLS 1.0, TLS 1.1 and TLS 1.2. Anyway, SSL 3.0 has the Poodle vulnerability, so it's normal that most companies stop using it gradually.

 

I don't use Curl, but it maybe one of these reasons (I'm not an expert in SSL!!):

 

1- As communications going more secure by using TLS 1.1 and TLS 1.2, those are negociated with a higher priority. If it's impossible, it lower to older protocols or weak ciphers.

 

2- Many old ciphers were vulnerable, so it's possible that none can be negociated to allow communications with their Production server, ending with your no response issue as Curl expect more secure one.

[mrl14]

PSIgate support is terrible. I have asked several times for the cipher list so that my tech people can see what the situation is yet they either respond with something totally unrelated or ignore me. I am now using port 17934 which works, but this isn't the right solution. What happens when they shut down that work around port? I really wish there were some other companies that worked in Canada as PSIgate has proven time and time again that they don't care too much about us.

[ifacto]

I generally had great support with them since 2003. It's a small company, so it's possible that it's not perfect, but overall, I am happy with them.

 

I really doubt they will shutdown that production port because it's widely used. I sent an email to them and I will confirm it to you tomorrow if they plan to shudown it in the future.

 

For your information, the official temporary outage of SSL 3.0 will occur on June 14th between 9AM and 1PM EST, so you will be able to test it if you want.

 

There are other companies in Canada that can take credit cards (or external but can charge in CAD if you are in Canada). I always find that comparing companies and fees is not very easy so finally always gave up!

[ifacto]

From PSiGate:

We are keeping the second production port open indefinitely. We will give plenty of notice if we ever plan to consolidate our ports.

 

So don't be worried about it.

Edited June 5, 2015 by ifacto