PayPal IPN Handshake issues

Question

Using 1and1 web hosting

The error message

Can't connect to PayPal to validate IPN message: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

test form

<form action="http://dev.myurlishere.com/ipn.php" method="POST">
  <input name="mc_gross" type="hidden" value="500.00" />
  <input name="custom" type="hidden" value="some custom data" />
  <input name="address_status" type="hidden" value="confirmed" />
  <input name="item_number1" type="hidden" value="6" />
  <input name="item_number2" type="hidden" value="4" />
  <input name="payer_id" type="hidden" value="FW5W7ZUC3T4KL" />
  <input name="tax" type="hidden" value="0.00" />
  <input name="address_street" type="hidden" value="1234 Rock Road" />
  <input name="payment_date" type="hidden" value="14:55 15 Jan 07 2005 PST" />
  <input name="payment_status" type="hidden" value="Completed" />
  <input name="address_zip" type="hidden" value="12345" />
  <input name="mc_shipping" type="hidden" value="0.00" />
  <input name="mc_handling" type="hidden" value="0.00" />
  <input name="first_name" type="hidden" value="Jason" />
  <input name="last_name" type="hidden" value="Anderson" />
  <input name="mc_fee" type="hidden" value="0.02" />
  <input name="address_name" type="hidden" value="Jason Anderson" />
  <input name="notify_version" type="hidden" value="1.6" />
  <input name="payer_status" type="hidden" value="verified" />
  <input name="business" type="hidden" value="paypal@emailaddress.com" />
  <input name="address_country" type="hidden" value="United States" />
  <input name="num_cart_items" type="hidden" value="2" />
  <input name="mc_handling1" type="hidden" value="0.00" />
  <input name="mc_handling2" type="hidden" value="0.00" />
  <input name="address_city" type="hidden" value="Los Angeles" />
  <input name="verify_sign" type="hidden" value="AlUbUcinRR5pIo2KwP4xjo9OxxHMAi6.s6AES.4Z6C65yv1Ob2eNqrHm" />
  <input name="mc_shipping1" type="hidden" value="0.00" />
  <input name="mc_shipping2" type="hidden" value="0.00" />
  <input name="tax1" type="hidden" value="0.00" />
  <input name="tax2" type="hidden" value="0.00" />
  <input name="txn_id" type="hidden" value="TESTER" />
  <input name="payment_type" type="hidden" value="instant" />
  <input name="last_name=Borduin" type="hidden" />
  <input name="payer_email" type="hidden" value="test@domain.com" />
  <input name="item_name1" type="hidden" value="Rubber+clog" />
  <input name="address_state" type="hidden" value="CA" />
  <input name="payment_fee" type="hidden" value="0.02" />
  <input name="item_name2" type="hidden" value="Roman sandal" />
  <input name="invoice" type="hidden" value="123456" />
  <input name="quantity" type="hidden" value="1" />
  <input name="quantity1" type="hidden" value="1" />
  <input name="receiver_id" type="hidden" value="5HRS8SCK9NSJ2" />
  <input name="quantity2" type="hidden" value="1" />
  <input name="txn_type" type="hidden" value="web_accept" />
  <input name="mc_gross_1" type="hidden" value="0.01" />
  <input name="mc_currency" type="hidden" value="USD" />
  <input name="mc_gross_2" type="hidden" value="0.01" />
  <input name="payment_gross" type="hidden" value="0.02" />
  <input name="subscr_id" type="hidden" value="PP-1234" />
  <input name="test" type="submit" value="test" />
</form>

ipn.php

<?php
// CONFIG: Enable debug mode. This means we'll log requests into 'ipn.log' in the same directory.
// Especially useful if you encounter network errors or other intermittent problems with IPN (validation).
// Set this to 0 once you go live or don't require logging.
define("DEBUG", 1);
// Set to 0 once you're ready to go live
define("USE_SANDBOX", 1);
define("LOG_FILE", "./ipn.log");
// Read POST data
// reading posted data directly from $_POST causes serialization
// issues with array data in POST. Reading raw POST data from input stream instead.
$raw_post_data = file_get_contents('php://input');
$raw_post_array = explode('&', $raw_post_data);
$myPost = array();
foreach ($raw_post_array as $keyval) {
    $keyval = explode ('=', $keyval);
    if (count($keyval) == 2)
        $myPost[$keyval[0]] = urldecode($keyval[1]);
}
// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';
if(function_exists('get_magic_quotes_gpc')) {
    $get_magic_quotes_exists = true;
}
foreach ($myPost as $key => $value) {
    if($get_magic_quotes_exists == true && get_magic_quotes_gpc() == 1) {
        $value = urlencode(stripslashes($value));
    } else {
        $value = urlencode($value);
    }
    $req .= "&$key=$value";
}
// Post IPN data back to PayPal to validate the IPN data is genuine
// Without this step anyone can fake IPN data
if(USE_SANDBOX == true) {
    $paypal_url = "https://www.sandbox.paypal.com/cgi-bin/webscr";
} else {
    $paypal_url = "https://www.paypal.com/cgi-bin/webscr";
}
$ch = curl_init($paypal_url);
if ($ch == FALSE) {
    return FALSE;
}
curl_setopt($ch, CURLOPT_SSLVERSION, 4);
curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $req);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_FORBID_REUSE, 1);
if(DEBUG == true) {
    curl_setopt($ch, CURLOPT_HEADER, 1);
    curl_setopt($ch, CURLINFO_HEADER_OUT, 1);
}
// CONFIG: Optional proxy configuration
//curl_setopt($ch, CURLOPT_PROXY, $proxy);
//curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, 1);
// Set TCP timeout to 30 seconds
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Connection: Close'));
// CONFIG: Please download 'cacert.pem' from "http://curl.haxx.se/docs/caextract.html" and set the directory path
// of the certificate as shown below. Ensure the file is readable by the webserver.
// This is mandatory for some environments.
//$cert = __DIR__ . "./cacert.pem";
//curl_setopt($ch, CURLOPT_CAINFO, $cert);
$res = curl_exec($ch);
if (curl_errno($ch) != 0) // cURL error
    {
    if(DEBUG == true) { 
        error_log(date('[Y-m-d H:i e] '). "Can't connect to PayPal to validate IPN message: " . curl_error($ch) . PHP_EOL, 3, LOG_FILE);
    }
    curl_close($ch);
    exit;
} else {
        // Log the entire HTTP response if debug is switched on.
        if(DEBUG == true) {
            error_log(date('[Y-m-d H:i e] '). "HTTP request of validation request:". curl_getinfo($ch, CURLINFO_HEADER_OUT) ." for IPN payload: $req" . PHP_EOL, 3, LOG_FILE);
            error_log(date('[Y-m-d H:i e] '). "HTTP response of validation request: $res" . PHP_EOL, 3, LOG_FILE);
        }
        curl_close($ch);
}
// Inspect IPN validation result and act accordingly
// Split response headers and payload, a better way for strcmp
$tokens = explode("\r\n\r\n", trim($res));
$res = trim(end($tokens));
if (strcmp ($res, "VERIFIED") == 0) {
    // check whether the payment_status is Completed
    // check that txn_id has not been previously processed
    // check that receiver_email is your PayPal email
    // check that payment_amount/payment_currency are correct
    // process payment and mark item as paid.
    // assign posted variables to local variables
    //$item_name = $_POST['item_name'];
    //$item_number = $_POST['item_number'];
    //$payment_status = $_POST['payment_status'];
    //$payment_amount = $_POST['mc_gross'];
    //$payment_currency = $_POST['mc_currency'];
    //$txn_id = $_POST['txn_id'];
    //$receiver_email = $_POST['receiver_email'];
    //$payer_email = $_POST['payer_email'];

    if(DEBUG == true) {
        error_log(date('[Y-m-d H:i e] '). "Verified IPN: $req ". PHP_EOL, 3, LOG_FILE);
    }
} else if (strcmp ($res, "INVALID") == 0) {
    // log for manual investigation
    // Add business logic here which deals with invalid IPN messages
    if(DEBUG == true) {
        error_log(date('[Y-m-d H:i e] '). "Invalid IPN: $req" . PHP_EOL, 3, LOG_FILE);
    }
}
?>

Answer 1

I believe that the reason you get this error is because you are using SSL v3, which has severe security issues and therefore is not supported by any serious website anymore. (more information here: http://disablessl3.com/)

in your above code, you specify

curl_setopt($ch, CURLOPT_SSLVERSION, 4);

however, in the error message, it says

 sslv3 alert handshake failure

so obviousely ssl v3 was used by PHP. instead try

curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, "TLSv1") 

as indicated here: SSL error can not change to TLS

hope that helps you