33

Looks like PayPal might have updated its systems in light of the POODLE attack, causing sites using the PHP PayPal SDK to break.

I get the error:

PayPal/Exception/PPConnectionException: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

/var/www/site/vendor/paypal/sdk-core-php/lib/PayPal/Core/PPHttpConnection.php:91
/var/www/site/vendor/paypal/sdk-core-php/lib/PayPal/Core/PPAPIService.php:66
/var/www/site/vendor/paypal/sdk-core-php/lib/PayPal/Core/PPBaseService.php:82
/var/www/site/vendor/paypal/adaptivepayments-sdk-php/lib/PayPal/Service/AdaptivePaymentsService.php:97

What would you recommend to fix this, without compromising security ?

jww
  • 97,681
  • 90
  • 411
  • 885
Arc
  • 11,143
  • 4
  • 52
  • 75
  • I got the same error on my site for a short period of time. But then stopped receiving IPNs from PayPal altogether. Are you receiving IPNs? The only thing we changed at our end was disable SSL v3. – Jaffer Oct 15 '14 at 09:27
  • We are still receiving IPNs. Maybe you disabled something PayPal expects to establish a (secure?) connection. I don't know which settings PayPal's IPN service supports, but you could contact their support for details. Feel free to share here if you learn something interesting. – Arc Oct 15 '14 at 09:44
  • We're behind an AWS Elastic Load Balancer. We'd disabled SSL3. Enabling it back again didn't seem to help. Do you have a similar setup? Did you disable SSL3? Just trying to determine if disabling SSL3 could be the issue. – Jaffer Oct 15 '14 at 11:35
  • 1
    Related link on PayPal's SDK Github page. They merged your change into the official SDK: https://github.com/paypal/rest-api-sdk-php/pull/127 – Jaffer Oct 15 '14 at 12:00

3 Answers3

33

UPDATE: As Jaffer noted, PayPal's GitHub repository has already merged the changes below, so you might just update your SDK.

At least this seems to work for now, though I will have to investigate what protocol it will actually use.

\PayPal\Core\PPHttpConfig::$DEFAULT_CURL_OPTS[CURLOPT_SSLVERSION] = 1;
// 0 = default protocol (likely TLSv1), 1 = TLSv1; unsafe: 2 = SSLv2, 3 = SSLv3

For other people using cURL directly, just use

curl_setopt($handle, CURLOPT_SSLVERSION, 1);

UPDATE:
Just looked up the source to cURL, these are the values (// comments mine):

enum {  
    CURL_SSLVERSION_DEFAULT, // 0
    CURL_SSLVERSION_TLSv1,   // 1
    CURL_SSLVERSION_SSLv2,   // 2
    CURL_SSLVERSION_SSLv3,   // 3

    CURL_SSLVERSION_LAST /* never use, keep last */  // 4
};

So to summarize, yes, 1 is TLSv1 and judging from the comment, is probably better than 4.
Updated code above.

Arc
  • 11,143
  • 4
  • 52
  • 75
  • 1
    or \PayPal\Core\PPHttpConfig::$defaultCurlOptions[CURLOPT_SSLVERSION] = 4; in 0.13 version of rest-api – Daniele Cruciani Oct 15 '14 at 09:47
  • Yeah, thanks. Whatever SSL 4 is but for the time being this solved my problem too. – spezifanta Oct 15 '14 at 10:19
  • My guess is TLSv1, but haven't looked at the source. – Arc Oct 15 '14 at 10:22
  • thank you for the suggestion; my sample application (the one that comes bundled with the php sdk was not working and was giving me an SSL connection error) ... while the live was working!! just switched to version 4 and now it works! – Scalax Oct 15 '14 at 11:03
  • What were Paypal thinking... live sites down everywhere. Worked for me - thank you. – depicus Oct 15 '14 at 12:44
  • https://github.com/paypal/rest-api-sdk-php/releases/tag/v0.13.1 fixed upstream. 1 is for TLSv1, I do not know too, I think 4 is fall on 1, thus TLSv1, not sure – Daniele Cruciani Oct 15 '14 at 17:29
  • PP ipn suddenly stopped from here too. Trying the curl 4 solution. – digiogi Oct 15 '14 at 18:18
  • By updating the SSLVERSION to 1, it points to TLSv1. If you are still facing the error, can you please try and add CURLOPT_SSL_CIPHER_LIST => 'TLSv1' Can anyone verify, it that solves the issue. The approach to use constant 4, is not compatible with older versions of curl libraries. – Jay Patel - PayPal Nov 07 '14 at 19:51
2

PayPal have officially released an update to the PHP SDK to address this issue, which was posted in the Github PR Jaffer linked to

https://github.com/paypal/rest-api-sdk-php/releases/tag/v0.13.1

Phil Hawthorne
  • 76
  • 3
1

For people who are using https://github.com/Quixotix/PHP-PayPal-IPN, just set false to force_ssl_v3:

$listener = new IpnListener();
$listener->force_ssl_v3 = false;
datasn.io
  • 12,564
  • 28
  • 113
  • 154