问题
Since 3 days I can't connect to the paypal sandbox. I found out that they maybe dissabled the support for SSLv3. So i tried to change the SSL Version in my curl Request by setting :
curl_setopt($curl, CURLOPT_SSLVERSION,1); # 1 = TLSv1
But it still give me the same error :
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Any idea why the script is still using SSLv3 ?
I am using php 5.5 and the following curl version ( currently asking at my hoster [ managed hosting at 1&1 ] to upgrade to a newer version)
curl 7.21.0 (i486-pc-linux-gnu) libcurl/7.21.0 OpenSSL/0.9.8o zlib/1.2.3.4 libidn/1.15 libssh2/1.2.6 Protocols: dict file ftp ftps http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp Features: GSS-Negotiate IDN IPv6 Largefile NTLM SSL libz
回答1:
The problem is that PayPal dropped support for SSLv3, TLS 1.0, and TLS 1.1 and now only support TLS 1.2 but the OpenSSL version cURL is built with (0.9.8o) does not support TLS.
At this point all you can do is hope the host can update OpenSSL, cURL, and PHP to a newer (1.0+) version of OpenSSL.
As it stands now, your cURL client doesn't speak TLS which is required by PayPal and there are no ways around it other than updating OpenSSL.
回答2:
Had same issue.
<?php
error_reporting(E_ALL);
$curl = curl_init();
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_VERBOSE, 1);
curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_URL, 'https://api-3t.sandbox.paypal.com/nvp');
$response = curl_exec($curl);
var_dump($response);
exit;
response:
bool(false)
and no error logs!
So I've made small script:
<?php
error_reporting(E_ALL);
var_dump(file_get_contents('https://api-3t.sandbox.paypal.com/nvp'));
and here what I've got in logs:
[12-Feb-2016 15:56:19] PHP Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure in /xxx/yyy.php on line 3
[12-Feb-2016 15:56:19] PHP Warning: file_get_contents(): Failed to enable crypto in /xxx/yyy.php on line 3
[12-Feb-2016 15:56:19] PHP Warning: file_get_contents(https://api-3t.sandbox.paypal.com/nvp): failed to open stream: operation failed in /xxx/yyy.php on line 3
My solution was:
- Update (1.0+) version of OpenSSL.
- Recompile Curl
- Recompile PHP with new CURL
- Make sure Curl SSL Version is OpenSSL/(1.0+)
SSL Version OpenSSL/1.0.1e – Good
SSL Version NSS/3.13.6.0 – Bad
I am running on CentOS. Here what I did to update:
Update OpenSSL:
openssl version
if below 1.0 run: yum update openssl make sure it is actually updated
- Reinstall PHP. So save php.ini file
Keep a list of all PHP modules installed via:
yum list installed | grep php
save output!
- yum erase php
- yum erase php-curl
- yum install php
yum install php-curl
restart apache or fpm and if you are lucky you'll get things working
- restore php.ini configs and PHP modules: yum install php-pgsql; yum install php-gd; etc
However if your package repositories outdated or you have curl library installed with NSS SSL bindings you can download and compile curl library manually. I've used phpize tool bundled with the php-devel package. So my problem I've had:
cURL Information 7.19.7
SSL Version NSS/3.13.6.0
and here is how I've changed it to:
cURL Information 7.22.0
SSL Version OpenSSL/1.0.1e
Update OpenSSL:
openssl version
if below 1.0 run: yum update openssl make sure it is actually updated
- Reinstall PHP. So save php.ini file
Keep a list of all PHP modules installed via:
yum list installed | grep php
save output!
- yum erase php
- yum erase php-curl
- yum install php-devel
- print PHP version with rpm -qa --queryformat '%{version}' php and find where you can download exact same PHP sources
- Following bash script will install specific curl library:
<pre>
#!/bin/bash
PHP_VERSION=$(rpm -qa --queryformat '%{version}' php)
CURL_VERSION=7.22.0
#echo $CURL_VERSION
#exit
#wget --no-check-certificate http://mirror.cogentco.com/pub/php/php-${PHP_VERSION}.tar.gz -O /tmp/php-${PHP_VERSION}.tar.gz
wget --no-check-certificate http://museum.php.net/php5/php-${PHP_VERSION}.tar.gz -O /tmp/php-${PHP_VERSION}.tar.gz
wget --no-check-certificate http://curl.haxx.se/download/curl-${CURL_VERSION}.tar.gz -O /tmp/curl-${CURL_VERSION}.tar.gz
cd /tmp; tar xzf php-${PHP_VERSION}.tar.gz
cd /tmp; tar xzf curl-${CURL_VERSION}.tar.gz
cd curl-${CURL_VERSION}
./configure
make
make install
cd /tmp; rm -rf curl-${CURL_VERSION}*
sleep 2
cd /tmp/php-${PHP_VERSION}/ext/curl/
phpize
./configure
make
make install
cd /tmp; rm -rf php-${PHP_VERSION}*
</pre>- restart apache or fpm and if you are lucky you'll get things working
- restore php.ini configs and PHP modules: yum install php-pgsql; yum install php-gd; etc
回答3:
Perfect, I wanted LibCurl to use OpenSSL instead of NSS, this has helped me fix it to tweak the php libcurl to use OpenSSL.
My Centos7 PHP 5.6 was using
php -r "print_r(curl_version());" | grep ssl_version
[ssl_version_number] => 0
[ssl_version] => NSS/3.19.1 Basic ECC
and after the above fix, it shows, this is what I wanted.
php -r "print_r(curl_version());" | grep ssl_version
[ssl_version_number] => 0
[ssl_version] => OpenSSL/1.0.1f
Here is the revised script that I have used on Centos7 with PHP 5.6.17
#!/bin/bash
PHP_VERSION=$(rpm -qa --queryformat '%{version}' php56)
CURL_VERSION=$(curl -V|head -1|awk '{print $2}')
wget --no-check-certificate http://mirror.cogentco.com/pub/php/php-5.6.17.tar.bz2 -O /tmp/php-${PHP_VERSION}.tar.bz2
wget --no-check-certificate http://curl.haxx.se/download/curl-${CURL_VERSION}.tar.gz -O /tmp/curl-${CURL_VERSION}.tar.gz
cd /tmp; tar xjf php-${PHP_VERSION}.tar.bz2
cd /tmp; tar xzf curl-${CURL_VERSION}.tar.gz
cd curl-${CURL_VERSION}
./configure
make
make install
cd /tmp; rm -rf curl-${CURL_VERSION}*
sleep 2
cd /tmp/php-${PHP_VERSION}/ext/curl/
phpize
./configure
make
make install
cd /tmp; rm -rf php-${PHP_VERSION}*
来源:https://stackoverflow.com/questions/35131590/php-curl-set-ssl-version