As of Tuesday October 21, 2014 (12pm), support for SSLv3 encryption was shut off for OpenSRS APIs. An email was sent out on October 16, 2014 regarding this change. (that email can be found below)
A vulnerability in the design of SSLv3 was uncovered earlier this week. This vulnerability means that attackers could exploit this weakness and try to decrypt encrypted connections. SSLv3 is 18 years old and the technology behind it is obsolete and insecure.
Having security in mind, we have limited SSLv3 connections within the OpenSRS APIs (domains and email). The vast majority of our resellers already use TLS and if you are still using SSLv3, our recommendation is that you upgrade to TLS as soon as possible to avoid any type of service disruption.
If you need to test your TLS connection, you can use our test environment as it no longer accepts SSLv3 connections.
You won’t be affected if:
- You are using the TLS protocol or if your connection is TLS enabled;
- You currently use Storefront or process orders through the new control panel or the RWI.
OpenSRS only uses TLS to connect to other systems so this vulnerability has not affected us.
If you have any questions or concerns, do not hesitate to contact support at firstname.lastname@example.org. You can also read the official security advisory on the openssl.org website.
The OpenSRS team
Attached is additional information on the POODLE exploit.
Q: What changes will I need to make to convert the PHP toolkit to communicate via TLS versus SSL? Do you have any how-to information on that?
A: We do not have any specific guides, as system setups vary. PHP toolkit should be fine, and it's most likely a software library on a reseller’s server that will prevent the toolkit from working. (This applies to any custom work or WHMCS plugins).
The reseller's server libraries need to support TLS, and they most likely do if they're running a newer version of the OS, or if they've updated their curl libraries. Users running really old versions may have some issues connecting.
Q: We communicate with OpenSRS using the API in WHMCS. Can you advise
if this is already utilizing TLS, or if a new API module will be released that does?
A: WHMCS is fine unless their operating system is running old libraries. The best way to check is to turn on test mode for the plugin and try to buy a domain.
Q: If we can connect to the test environment, do we need to make any additional changes?
A: No changes will need to be made. Connecting without errors means the setup either uses TLS only, or utilizes both SSL and TLS methods of encryption, and will default to TLS if SSL is unavailable.