Sandbox api curl (5) SSL connect error

Question

I've done an omnipay-paypal implementation for our website via Laravel. Recently I cannot test using any of my sandbox account. I've been getting an SSL connect error. NSS error -12286. Is anyone encountering this issue? I've checked the PayPal support and they have marked an SSL issue as resolved last Jan. 19, 2016.

Below is a cli curl call to api.sandbox.paypal.com and the corresponding error. Is anyone facing the same issue?

curl -v https://api.sandbox.paypal.com/v1/oauth2/token \
> -H "Accept: application/json" \
> -H "Accept-Language: en_US" \
> -u "xxx:xxxx" \
> -d "grant_type=client_credentials"
* About to connect() to api.sandbox.paypal.com port 443 (#0)
*   Trying 173.0.82.78... connected
* Connected to api.sandbox.paypal.com (173.0.82.78) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* NSS error -12286
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

Answer 1

You need to add the --tlsv1.2 switch to certain versions of curl.

Later versions (e.g. 7.35.0) will auto-negotiate TLS 1.2 automatically and correctly. Some versions (e.g. 7.19.7) will work if this switch is provided, despite man curl reporting that it was added later:

--tlsv1.2 (SSL) Forces curl to use TLS version 1.2 when negotiating with a remote TLS server. (Added in 7.34.0)

Answer 2

PayPal updated its sandbox environment to only allow TLS 1.2 connections to improve security and prepare for future PCI compliance. You can find more information about the update on the PayPal 2016 Merchant Security Roadmap Microsite.

If you use any of the PayPal SDKs, you can look at the PayPal TLS Update repository for information on what SDKs or environment upgrades you may need. Please be aware there may be environment differences between running on the command line (say PHP CLI) vs. your application hosting environment (say the PHP module in Apache) so be sure you update all relevant environments.