Update PHP cURL request from SSLv3 to TLS..?

Question

Because of the recent vulnerability discovered in SSLv3, many web service providers (ie. PayPal, Facebook, Google) are disabling that and wanting us to use TLS instead. I'm having a little bit of trouble figuring out how to do this.

I'm currently using the following function to handle my cURL requests.

function CURLRequest($Request = "", $APIName = "", $APIOperation = "", $PrintHeaders = false)
{
    $curl = curl_init();
            curl_setopt($curl, CURLOPT_VERBOSE, 1);
            curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
            curl_setopt($curl, CURLOPT_TIMEOUT, 30);
            curl_setopt($curl, CURLOPT_URL, $this->EndPointURL);
            curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($curl, CURLOPT_POSTFIELDS, $Request);

    if($this->APIMode == 'Certificate')
    {
        curl_setopt($curl, CURLOPT_SSLCERT, $this->PathToCertKeyPEM);
    }

    $Response = curl_exec($curl);

    /*
     * If a cURL error occurs, output it for review.
     */
    if($this->Sandbox)
    {
        if(curl_error($curl))
        {
            echo curl_error($curl).'<br /><br />';  
        }
    }

    curl_close($curl);
    return $Response;   
}

When I try hitting PayPal's sandbox, though, where they've already disabled this, I end up with a cURL error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

The info that I've found is that I just need to change this to use TLS instead of SSL, and the other answers I've seen say to simply do that by adding a curl option to my function...

curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);

I've added that option, though, and I still get the exact same result. Any information on how I can get this working would be greatly appreciated. Thanks!

Are you on an old version of Curl? Looking at [this answer](http://stackoverflow.com/questions/26452755/php-curl-is-probably-using-sslv3-insted-of-tls-when-connecting-to-https) it seems at least 7.19 has issues with TLS. — cOle2, Nov 05 '14 at 18:21
Yeah, I just saw that, too. Trying to figure out how to see my curl version now. I've never had to mess with any of this before. — Drew Angell, Nov 05 '14 at 18:29
might be a duplicate : http://stackoverflow.com/questions/26759383/ssl-error-can-not-change-to-tls eventhough this one is better formulated. — philippe lhardy, Nov 05 '14 at 18:51

score 5 · Accepted Answer · edited May 23 '17 at 12:34

5

Copied from: SSL error can not change to TLS

Try add curl_setopt($curl, CURLOPT_SSL_CIPHER_LIST, 'TLSv1'); to your code.

This will work if you cURL is OpenSSL libssl based but not if nss based.

edited May 23 '17 at 12:34

Community

1
1

answered Nov 05 '14 at 18:53

philippe lhardy

3,096
29
36

Yes, that seems to have done the trick. Should we merge these somehow..?? – Drew Angell Nov 05 '14 at 19:03
i prefer your wording that are more general than duplicate answer, but to let to caesar what is to caesar this answer is not mine... – philippe lhardy Nov 05 '14 at 19:05
@philippelhardy, I am getting the sslv3 handshake failure even though i've `CURLOPT_SSL_CIPHER_LIST` set to TLSv1 – Nauman Zafar Aug 17 '16 at 18:36

score 4 · Answer 2 · answered Nov 06 '14 at 23:38

4

A better solution until Paypal updates its core SDK would be to override the CURLOPT_SSL_CIPHER_LIST directly in your application. This way you don't have to interfere with the sdk-core-php package directly and you will be free to upgrade it in future.

You could add something like the following to your app's bootstrap or payment processing logic:

PPHttpConfig::$DEFAULT_CURL_OPTS[CURLOPT_SSL_CIPHER_LIST] = 'TLSv1';

Just make sure you comment it thoroughly and remember to take it out later when the issue has been patched in the core.

answered Nov 06 '14 at 23:38

Sebastian Sibelle

103
1
7

2

Can you please go into detail where (path/file or settings) I have to add this line. Thanks! – Raffael Nov 26 '14 at 12:35
Hey Raffael, you could add it anywhere you are certain will get called on every pageload. This depends on your framework but usually it will have some kind of "bootstrap"/configuration file where you can add this kind of thing. – Sebastian Sibelle Aug 19 '15 at 04:35

score 0 · Answer 3 · answered Nov 14 '16 at 18:31

0

I just resolved updating nss library via terminal.

answered Nov 14 '16 at 18:31

Luca Murante

317
3
8

score 0 · Answer 4 · answered May 17 '17 at 15:52

0

If the above does not help, check OPENSSL version. Its likely because of OPENSSL version <= 0.9.8. Updating to PHP7 helps, which comes with higher version of OPENSSL.

answered May 17 '17 at 15:52

burgur

50
5

Update PHP cURL request from SSLv3 to TLS..?

4 Answers4

Linked