0

I'm hoping someone might be able to help me. I have a client that has a website running Python 2.7.5+ (according to python -V). It's an ecommerce site that also uses the eWay payment gateway. They recently made some changes to only support TLS1.2 https://www.eway.com.au/tls-updates.

However, when a customer goes through the checkout it shows a denied message from the eWay payment gateway. eWay say that this is because the transaction is still not coming through as TLS1.2.

I have upgraded the Amazon EC2 instance and modified the apache .conf file so that it only supports TLS1.2 and i have verified this by checking the site through an SSL test with https://www.ssllabs.com/ssltest/.

Therefore, I believe the issue may be due to the pyOpenSSL package being on a version that doesn't support TLS1.2. It's apparently on version 0.13: pyOpenSSL==0.13.

I was wondering if someone might be able to help confirm or disprove my theory (I know this may be difficult with not having access to the server) and perhaps provide some pointers.

I have tried upgrading pyOpenSSL using the command pip install –upgrade pyopenssl==0.15.1 but I got the following error;

Exception:
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/pip-1.5.2-py2.7.egg/pip/basecommand.py", line 122, in main
    status = self.run(options, args)
  File "/usr/local/lib/python2.7/dist-packages/pip-1.5.2-py2.7.egg/pip/commands/install.py", line 253, in run
    InstallRequirement.from_line(name, None))
  File "/usr/local/lib/python2.7/dist-packages/pip-1.5.2-py2.7.egg/pip/req.py", line 172, in from_line
    return cls(req, comes_from, url=url, prereleases=prereleases)
  File "/usr/local/lib/python2.7/dist-packages/pip-1.5.2-py2.7.egg/pip/req.py", line 70, in __init__
    req = pkg_resources.Requirement.parse(req)
  File "/usr/local/lib/python2.7/dist-packages/pip-1.5.2-py2.7.egg/pip/_vendor/pkg_resources.py", line 2606, in parse
    reqs = list(parse_requirements(s))
  File "/usr/local/lib/python2.7/dist-packages/pip-1.5.2-py2.7.egg/pip/_vendor/pkg_resources.py", line 2532, in parse_requirements
    raise ValueError("Missing distribution spec", line)
ValueError: ('Missing distribution spec', '\xe2\x80\x93upgrade')

Storing debug log for failure in /tmp/tmpYIkpzp

Again, i'm really not familiar with python at all so I would be really grateful for any support. I can't find anything in the website code itself that's specifically trying to force an earlier version of TLS.

There's a settings.py that contains the eway api credentials (removed but to show where these values come from) https://gist.github.com/neilbradley/7b08d1bf6ac0cb9643343c7c1d362f2a.

There's a payment.py for the payment gateway https://gist.github.com/neilbradley/b5b7d0621065f08a2abf7703bced9ee0.

There's a forms.py that handles all forms on the site https://gist.github.com/neilbradley/e9e7c61fb39f6b8d55b2bc17822f3935 and you can see a class PaymentForm

Thank you.

jww
  • 97,681
  • 90
  • 411
  • 885
doubleplusgood
  • 2,486
  • 11
  • 45
  • 64
  • just `pip install` (no `-upgrade`), pip automatically uninstalls the older version and installs the newer one. – dirkgroten Oct 11 '17 at 13:41
  • is the back-end directly calling the eway payment gateway, maybe using an SDK, or calling their API directly? in that case, check that code to see which python library is used to make the API calls, maybe it's not configured to use TLS1.2. – dirkgroten Oct 11 '17 at 13:45
  • you can also try following structure `pip install [package_name] --upgrade` – deimus Oct 11 '17 at 13:46
  • Thanks for the comments on the upgrade. I will give this a try. Because i'm not familiar with the entire application I was just cautious of running anything that might upgrade to amore recent version that might break something else. – doubleplusgood Oct 11 '17 at 14:23
  • @dirkgroten There doesn't appear to be anything in the website admin to control this. I have updated initial post with some gists of various .py files that may or may not be relevant. – doubleplusgood Oct 11 '17 at 14:31
  • Please check the version of OpenSSL used by Python: `python -c 'import ssl; print ssl.OPENSSL_VERSION'`. If it is less than 1.0.1 you need to upgrade OpenSSL too since only versions 1.0.1+ support TLS 1.2. – Steffen Ullrich Oct 11 '17 at 15:08
  • The main python package used by your app to talk to the eway servers is `requests`, which itself depends on `urllib3` which in turn has `pyopenssl` as a dependency. Inside your project, you should see a `requirements.txt` file or something similar which lists all the `pip` requirements for the project (this is good practice, you just run `pip install -r requirements.txt` to get all dependencies installed). Check there which `requests` version is required and update to the latest. I would update `requests` rather than `pyopenssl` directly. – dirkgroten Oct 11 '17 at 15:13
  • Also, I'd hope you have a test server where you can test this, it's indeed not a good idea to update `requests` on production without testing... – dirkgroten Oct 11 '17 at 15:14
  • @SteffenUllrich The version is OpenSSL 1.0.1e 11 Feb 2013. – doubleplusgood Oct 11 '17 at 19:49
  • @dirkgroten From the requirements.txt: requests==2.2.1, requests-oauthlib==0.4.0 – doubleplusgood Oct 11 '17 at 19:53
  • I have also now got requests==2.18.4 and urllib3==1.22 – doubleplusgood Oct 11 '17 at 20:30
  • openssl 1.0.1+ isn't supported anymore by the OpenSSL team, so you also don't get security updates. openssl 1.0.1e contains 67 security vulnerabilities including 4 with a risk of 10.0 (maximum). So I'd advise you to update to openssl 1.0.2l as soon as possible. I don't know if TLS 1.2 was support by the 1.0.1 version, I guess it was, so maybe this won't alleviate your problem. Sorry, no other ideas at the moment, since it's still not clear which part of your code is causing the error. Are there logs you can look at to see if eway is returning an error message on API level somewhere? – dirkgroten Oct 12 '17 at 12:52
  • @dirkgroten Thank you - really appreciate your comments. I'm thinking it may be python itself that needs upgrading. It's currently on 2.7.5+ but i read somewhere that TLS1.2 wasn't introduced until Python 2.7.9 ? – doubleplusgood Oct 12 '17 at 13:32
  • ah, yes, that might very well be the case, as enforcing a particular version of SSL is only supported in python's ssl library after 2.7.9. Not sure however, since it seems everything relies on the `requests` library together with `urllib3`. In any case, it looks like your client hasn't maintained their site for a while and are now caught at a moment where everything needs to be updated... good luck! – dirkgroten Oct 12 '17 at 13:39

0 Answers0