CODEWITHSUNDEEP
phpcurlhandshakesslv3
Ephenodrom
Ephenodrom

Reputation: 1893

Php curl set ssl version

Since 3 days I can't connect to the paypal sandbox. I found out that they maybe dissabled the support for SSLv3. So i tried to change the SSL Version in my curl Request by setting :

curl_setopt($curl, CURLOPT_SSLVERSION,1); # 1 = TLSv1

But it still give me the same error :

error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Any idea why the script is still using SSLv3 ?

I am using php 5.5 and the following curl version ( currently asking at my hoster [ managed hosting at 1&1 ] to upgrade to a newer version)

curl 7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6 Protocols: dict file ftp ftps http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz

Upvotes: 7

Views: 28754

Answers (3)

Sree
Sree

Reputation: 379

Perfect, I wanted LibCurl to use OpenSSL instead of NSS, this has helped me fix it to tweak the php libcurl to use OpenSSL.

My Centos7 PHP 5.6 was using

php -r "print_r(curl_version());" | grep ssl_version
[ssl_version_number] => 0
[ssl_version] => NSS/3.19.1 Basic ECC

and after the above fix, it shows, this is what I wanted.

php -r "print_r(curl_version());" | grep ssl_version
[ssl_version_number] => 0
[ssl_version] => OpenSSL/1.0.1f

Here is the revised script that I have used on Centos7 with PHP 5.6.17

#!/bin/bash
PHP_VERSION=$(rpm -qa --queryformat '%{version}' php56)
CURL_VERSION=$(curl -V|head -1|awk '{print $2}')
wget --no-check-certificate http://mirror.cogentco.com/pub/php/php-5.6.17.tar.bz2 -O /tmp/php-${PHP_VERSION}.tar.bz2
wget --no-check-certificate http://curl.haxx.se/download/curl-${CURL_VERSION}.tar.gz -O /tmp/curl-${CURL_VERSION}.tar.gz

cd /tmp; tar xjf php-${PHP_VERSION}.tar.bz2
cd /tmp; tar xzf curl-${CURL_VERSION}.tar.gz

cd curl-${CURL_VERSION}
./configure
make
make install

cd /tmp; rm -rf curl-${CURL_VERSION}*

sleep 2

cd /tmp/php-${PHP_VERSION}/ext/curl/
phpize
./configure
make
make install

cd /tmp; rm -rf php-${PHP_VERSION}*

Upvotes: 1

Alex Shulak
Alex Shulak

Reputation: 66

Had same issue.

    <?php
error_reporting(E_ALL);
$curl = curl_init();
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_VERBOSE, 1);
curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_URL, 'https://api-3t.sandbox.paypal.com/nvp');

$response =    curl_exec($curl);
var_dump($response);
exit;

response:

bool(false)

and no error logs!

So I've made small script:

<?php
error_reporting(E_ALL);
var_dump(file_get_contents('https://api-3t.sandbox.paypal.com/nvp'));

and here what I've got in logs:

[12-Feb-2016 15:56:19] PHP Warning:  file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure in /xxx/yyy.php on line 3
[12-Feb-2016 15:56:19] PHP Warning:  file_get_contents(): Failed to enable crypto in /xxx/yyy.php on line 3
[12-Feb-2016 15:56:19] PHP Warning:  file_get_contents(https://api-3t.sandbox.paypal.com/nvp): failed to open stream: operation failed in /xxx/yyy.php on line 3

My solution was:

  1. Update (1.0+) version of OpenSSL.
  2. Recompile Curl
  3. Recompile PHP with new CURL
  4. Make sure Curl SSL Version is OpenSSL/(1.0+)

SSL Version OpenSSL/1.0.1e – Good

SSL Version NSS/3.13.6.0 – Bad

I am running on CentOS. Here what I did to update:

  1. Update OpenSSL:

    openssl version

if below 1.0 run: yum update openssl make sure it is actually updated

  1. Reinstall PHP. So save php.ini file

  2. Keep a list of all PHP modules installed via:

    yum list installed | grep php

save output!

  1. yum erase php
  2. yum erase php-curl
  3. yum install php

  4. yum install php-curl

  5. restart apache or fpm and if you are lucky you'll get things working

  6. restore php.ini configs and PHP modules: yum install php-pgsql; yum install php-gd; etc

However if your package repositories outdated or you have curl library installed with NSS SSL bindings you can download and compile curl library manually. I've used phpize tool bundled with the php-devel package. So my problem I've had: 

cURL Information    7.19.7 
SSL Version     NSS/3.13.6.0

and here is how I've changed it to:

cURL Information    7.22.0 
SSL Version     OpenSSL/1.0.1e

  1. Update OpenSSL:

    openssl version

if below 1.0 run: yum update openssl make sure it is actually updated

  1. Reinstall PHP. So save php.ini file

  2. Keep a list of all PHP modules installed via:

    yum list installed | grep php

save output!

  1. yum erase php
  2. yum erase php-curl
  3. yum install php-devel
  4. print PHP version with rpm -qa --queryformat '%{version}' php and find where you can download exact same PHP sources
  5. Following bash script will install specific curl library:

<pre>
#!/bin/bash

PHP_VERSION=$(rpm -qa --queryformat '%{version}' php)

CURL_VERSION=7.22.0

#echo $CURL_VERSION
#exit

#wget --no-check-certificate http://mirror.cogentco.com/pub/php/php-${PHP_VERSION}.tar.gz -O /tmp/php-${PHP_VERSION}.tar.gz
wget --no-check-certificate http://museum.php.net/php5/php-${PHP_VERSION}.tar.gz -O /tmp/php-${PHP_VERSION}.tar.gz
wget --no-check-certificate http://curl.haxx.se/download/curl-${CURL_VERSION}.tar.gz -O /tmp/curl-${CURL_VERSION}.tar.gz

cd /tmp; tar xzf php-${PHP_VERSION}.tar.gz
cd /tmp; tar xzf curl-${CURL_VERSION}.tar.gz

cd curl-${CURL_VERSION}
./configure
make
make install

cd /tmp; rm -rf curl-${CURL_VERSION}*

sleep 2

cd /tmp/php-${PHP_VERSION}/ext/curl/
phpize
./configure
make
make install

cd /tmp; rm -rf php-${PHP_VERSION}*

</pre>

  1. restart apache or fpm and if you are lucky you'll get things working
  2. restore php.ini configs and PHP modules: yum install php-pgsql; yum install php-gd; etc

Upvotes: 4

drew010
drew010

Reputation: 69937

The problem is that PayPal dropped support for SSLv3, TLS 1.0, and TLS 1.1 and now only support TLS 1.2 but the OpenSSL version cURL is built with (0.9.8o) does not support TLS.

At this point all you can do is hope the host can update OpenSSL, cURL, and PHP to a newer (1.0+) version of OpenSSL.

As it stands now, your cURL client doesn't speak TLS which is required by PayPal and there are no ways around it other than updating OpenSSL.

Upvotes: 6

Related Questions