WHMCS WP Integration – TLS Support

Hi guys,

today we tried to harden our SSL security and disabled SSLv3 support for our servers (which is recommended by Qualys SSLabs for example).

Sadly the WHMCS WP Integration Plugin doesn’t work with SSLv3 as PHP cURL is set to use SSLv3.

Error as following:

WHMCS Integration: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

As SSLv3 is quite “deprecated” I would kindly ask you to (at least!) add Support for TLS or completely switch to TLS when connecting to https whmcs installations.

Just for the Futures sake!

Thanks and brgds!

  • Arnold
    • El Macho WP

    The plugin uses PHP cURL so it’s doable. It’s only as of WP version 3.7 that WordPress added certificate support for the class-http.php library. Previously it was not verified because too many people panic when you start talking about certificates.

    So if you want to try it and have everything configured outside of WordPress you should do two things.

    Find the function ssl_verify() in the plugin and change the return value to true.

    Find the function cache_cookies($handle). The $handle passed in is the cURL handle so you can do any curl options you want there. The one you need to change is

    curl_setopt( $handle, CURLOPT_SSLVERSION, 3 );

    to

    curl_setopt( $handle, CURLOPT_SSLVERSION, CURL_SSLVERSION_DEFAULT );

    If you want curl to figure it out for you. Either /sslv3 or TLSv1. It won’t even try SSLv2.

    or change it to.

    curl_setopt( $handle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);

    to force TLS. curl doesn’t support sub version of TLS yet.

  • Arnold
    • El Macho WP

    One other point since this is on the bleeding edge of versions. Not all of the CURL options were defined until version 5.5 so you also beed to add.

    if(!defined('CURL_SSLVERSION_DEFAULT') ) define('CURL_SSLVERSION_DEFAULT', 0);
    if(!defined('CURL_SSLVERSION_TLSv1') ) define('CURL_SSLVERSION_TLSv1', 1);
    if(!defined('CURL_SSLVERSION_SSLv2') ) define('CURL_SSLVERSION_SSLv2', 2);
    if(!defined('CURL_SSLVERSION_SSLv3') ) define('CURL_SSLVERSION_SSLv3', 3);

    To make sure the constants exist.

  • seriousmarketing
    • Flash Drive

    Hi Arnold,

    thanks for the feedback.

    Just implemented your suggested changes. Can confirm everything works great with them and TLS instead of SSLv3.

    Would love to see the changes within the next update (and maybe also other WPMU DEV Plugins that use cURL / SSL Connections) to be sure of a safe upgrade path away from SSv3.

    Thanks and have a great day!