We’ve released hotfixes for Commerce (v1.1.3), the Authorize.net payment gateway for SimpleCart (v2.0.2), Stripe for SimpleCart (v3.0.1) and Mollie for SimpleCart (v1.3.2).
Due to old root TLS certificates being bundled in dependencies, requests made to payment gateways might fail if those sites use newer certificates. That’s currently critically affecting Authorize.net, which recently updated their servers’ security settings, but if you accept online payments with any gateway, you should update as soon as possible to prevent failed transactions.
This issue affects users of Authorize.net gateways in both Commerce and SimpleCart, where payments are currently failing with a curl error 60.
While not individually tested/confirmed, the same bundle is also used in Commerce by the following gateways: Braintree, MultiSafePay, Paymill, PayPal, and SagePay. These may also fail to connect, if not today then in the future when their certificates are renewed and can no longer be verified by the old bundle.
The Stripe gateway for SimpleCart and Mollie gateway for SimpleCart also came with their own certificates bundles. Those have also been updated.
The Manual, Mollie, and Stripe Gateways in Commerce, and the PayPal gateway for SimpleCart are not affected, and use either the system bundle or another bundle that’s already up-to-date.
Technical details
The mentioned payment gateways are built using Omnipay v2, a useful library that abstracts interaction between a system like Commerce and payment providers. This version is rather old, but unfortunately we can’t just flip a switch to upgrade that to v3; each individual gateway implementation needs to be updated. We started that for Stripe and Mollie in Commerce v1.1.
The problem we identified, after a support question related to Authorize.net that came in yesterday, is that Omnipay v2 ships with an old v3 version of guzzle/guzzle that does the actual HTTP requests back and forth with the payment providers. This v3 version of guzzle ships with its own certificates file (cacert.pem) that is always used, rather than the system bundle.
The problem appeared as Authorize.net updated its servers to use a new certificate (plus stricter SSL protocols), and that these certificates could not be verified against the cacert.pem used by guzzle/guzzle. The request throws an error as a result, and receiving payment doesn’t work as expected. Upon further inspection this turned out to be a problem for most gateway implementations we have available.
To resolve that, the most recent bundle is now automatically downloaded during upgrade, overwriting the one in place. We’ve also manually updated the bundles to the latest (Jan 2020) where possible, in case the download doesn’t work.