Symptoms
The renewal order for the domain registered with OpenSRS failed, it is not possible to register new domains with OpenSRS, further checks show that the test connection also fails with an error:
Test connection failed:
Check credentials
OPENSRS.log shows empty responses from the registrar, e.g. when checking connection:
[14-11-12 15:32:35.338 Worker1.4 RQ177510 TRC] +++[1] const OpenSRSResponse OpenSRS::callLookupDomain(const Str&)(Domain: test.com)
14-11-12 15:32:35.338 Worker1.4 RQ177510 NTE] Connected to: https://horizon.opensrs.net:55443
[14-11-12 15:32:35.338 Worker1.4 RQ177510 NTE] Request:
<?xml version='1.0' encoding='UTF-8' standalone='no'?>
<!DOCTYPE OPS_envelope SYSTEM 'ops.dtd'>
<OPS_envelope>
<header>
<version>0.9</version>
</header>
<body>
<data_block>
<dt_assoc>
<item key='protocol'>XCP</item>
<item key='action'>LOOKUP</item>
<item key='object'>DOMAIN</item>
<item key='attributes'>
<dt_assoc>
<item key='domain'>test.com</item>
</dt_assoc>
</item>
</dt_assoc>
</data_block>
</body>
</OPS_envelope>
[14-11-12 15:32:35.699 Worker1.4 RQ177510 NTE] Response:
[14-11-12 15:32:35.699 Worker1.4 RQ177510 TRC] ---[1] const OpenSRSResponse OpenSRS::callLookupDomain(const Str&)
Cause
OpenSRS has disabled SSLv3 connections. You may have received a letter below from OpenSRS:
We are cutting off SSLv3 connections
A vulnerability in the design of SSLv3 was uncovered earlier this week. This vulnerability means that attackers could exploit this weakness and try to decrypt encrypted connections. SSLv3 is 18 years old and the technology behind it is obsolete and insecure.
Having security in mind, we have limited SSLv3 connections within the OpenSRS APIs (domains and email). The vast majority of our resellers already use TLS and if you are still using SSLv3, our recommendation is that you upgrade to TLS as soon as possible to avoid any type of service disruption.
If you need to test your TLS connection, you can use our test environment as it no longer accepts SSLv3 connections.
You won't be affected if:
• You are using the TLS protocol or if your connection is TLS enabled;
• You currently use Storefront or process orders through the new control panel or the RWI.
OpenSRS only uses TLS to connect to other systems so this vulnerability has not affected us.
If you have any questions or concerns, do not hesitate to contact support at help@opensrs.com. You can also read the official security advisory on the openssl.org website.
The OpenSRS team
No response to the PBA requests means plugin uses SSLv3 connections.
Resolution
The issue has been submitted as a bug with id #PBA-59530 ("TLS should be used in order to connect to OpenSRS"), which is fixed in PBA 5.5.8.
For PBA 5.5.7 install the hotfix from kb #123187.
For PBA 6.0 install the hotfix from kb #123320.