Immediate action required: SSLv3 security alert causing changes in PayPal modules

Due to the POODLE security attack, PayPal will drop their support for SSL 3.0 on December 3rd 2014. In order to keep offering PayPal as payment, this blog post will show you the possible ways to adapt to the issue.


This is an urgent note to everyone using PayPal as a payment provider in their OXID eShop.

In October 2014, a vulnerability of the SSL 3.0 protocol was detected, as discussed in forums and blogs recently. This means, websites and all internet businesses relying on SSL 3.0 can no longer sufficiently protect their users‘ information from hackers.

Payment provider PayPal will drop their support for SSL 3.0 on December 3rd 2014, 12:01 a.m. PST (09:01 a.m. CET), causing all PayPal transactions based on SSL 3.0 not to work any longer from this moment on.

In order to keep offering PayPal as a payment in your OXID eShop, please update your OXID eFire Extension PayPal to version

3.2.1 when using OXID eShop 5.2.x (EE) or 4.9.x (PE/CE)
3.1.2 when using OXID eShop 5.1.x (EE) or 4.8.x (PE/CE)
3.0.3 when using OXID eShop 5.0.x (EE) or 4.7.x (PE/CE)

We will also publish a patched version of the OXID eFire Extension PayPal for OXID eShop 4.4.x to 4.6.x within the next week.

Please note:

If you refuse to proceed one of the solutions mentioned above, every payment via PayPal will fail from December 3rd onwards! This also applies for the PayPal Portlets in our cloud platform OXID eFire, which will not be altered. If you still run this method, please update to our standalone OXID eFire Extension as soon as possible. The extension can be found in OXID eXchange.

21 replies
    • Marco Steinhaeuser says:

      Am not pretty sure about your solution. Apparently, this option was set intentionally – maybe for a good reason – on PayPal recommendation. Some other projects and modules set this option, others didn’t. Requested PayPal directly, hope I can get back with some useful results.

      • OXID eSales says:

        Hi! Marco is having days off. I am sure he will get back to you upon his return. Sorry for the delay.

  1. Kemweb says:

    How can I tell if I am affected by this problem? Can you please add where I can check in backend or/and modules folder.

    • OXID eSales says:

      All versions of PayPal below the ones mentioned in the blog post are affected by the problem. You can check the version number of PayPal in your modules folder. Hope this helps!

  2. Marcus says:

    “We will also publish a patched version of the OXID eFire Extension PayPal for OXID eShop 4.4.x to 4.6.x within the next week.”

    Where is it???

  3. Heinz-Günter Weber says:

    Ein Kunde stelt gerade auf eine neuere Version der PE um, schafft das aber nicht vor dem 3.12. Er hat die 4.2.0 im Einsatz, bislang wird PayPal über seinen eFire-Account mit PayPal Portlet abgewickelt. Hier erhält er die dringende Empfehlung zur Anpassung der Verschlüsselungen. Er müsste das Standalome Modul – die OXID eFire Extension PayPal – installieren. Kann hier die für 4.4. gelieferte Variante gewählt werden oder klappt das nicht, bzw. gibt es noch eine ältere Version? Danke für eine kurzfristige Klärung dazu.

    • Marco Steinhaeuser says:

      Noch ältere Versionen als die 4.4 können vom Standalone-Modul leider nicht unterstützt werden.

  4. nils says:

    A customer has Oxid 4.7 running… Is there a version for that? Will the 4.6 version work?

    Thanks in advance!


  5. Markus Kramer says:

    WIr haben das aktuelle Modul OXID eFire Extension PayPal 3.2.1 installiert und erfolgreich gestestet. Benötigen wir jetzt das efire Portlet noch?
    Wenn nein wie kann das deaktiviert werden?



Trackbacks & Pingbacks

  1. […] OXID hat bereits alle notwendigen Änderungen vorgenommen und für neuere Shop-Versionen ein aktualisiertes PayPal Modul bereit gestellt. Es wird dringend empfohlen das Modul zu aktualisieren, um die reibungslose Zahlungsabwicklung mit PayPal zu gewährleisten. Für OXID Shopbetreiber die PayPal über Heidelpay abwickeln besteht wohl kein Handlungsbedarf. […]

  2. […] Hier findet Ihr auch noch einmal den Original Oxid Blogpost […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *