pycurl and SSLv3

364 views
Skip to first unread message

john

unread,
Oct 30, 2014, 10:50:45 AM10/30/14
to django...@googlegroups.com
Hi,

On the server side of my Django website I use pycurl (version 7.20.x) to
connect to authorize.net (to send credit card info). On Nov 4
Authorize.net will turn off SSLv3. So I'm wondering if my use pycurl
will continue to work. To be honest I haven't thought about it much
since the pycurl seem to take care of everything that Authorize.net
required. Now I'm questioning if pycurl will continue to work and if I
need to change anything - what do I chan.

c=pycurl.Curl()
c.setopt(c.URL, GatewayURL)
c.setopt(c.POST, TRUE)
c.setopt(c.SSL_VERIFYPEER, FALSE)


Thanks in advance,
Johnf


Erik Cederstrand

unread,
Oct 30, 2014, 11:20:57 AM10/30/14
to Django Users
This would depend on the version of libcurl on your server, and ultimately on the version of libssl.

I assume authorize.net will only accept TLS, so just force the SSL version and test if it works. Something like this should do:

c.setopt(c.SSLVERSION, c.CURL_SSLVERSION_TLSv1_2)


Erik

Tom Evans

unread,
Oct 31, 2014, 11:57:40 AM10/31/14
to django...@googlegroups.com
Why do you disable peer verification checks? Its like asking for a
MITM to come and scoop up those credit card details.

pycurl uses curl, curl can be built against OpenSSL. If your curl
library is linked against an OpenSSL library that disables all TLS and
only supports up to SSLv3, then you will have problems. That would be
quite unlikely.

Cheers

Tom
Reply all
Reply to author
Forward
0 new messages