1

In the middle of integrating OmniPay currently. Seems all good, but when I go to use the PayPalExpress gateway, it gives me the following error: 

[curl] 35: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure [url] https://api-3t.sandbox.paypal.com/nvp?VERSION=119.0&USER=...

Tracking things down it seems to be an issue with PayPal's SSL updates and I need to tell it to use SSL3 and the updated cipher list: 

curl_setopt($ch, CURLOPT_SSLVERSION, 3);
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'SSLv3');

However, I haven't been able to figure out a way to pass these options on to Guzzle and then on to curl. Anyone know how I can accomplish this?

Machavity
  • 30,841
  • 27
  • 92
  • 100
Lonnie
  • 98
  • 7

1 Answers1

2
  1. To pass options to curl or guzzle you need to do something like this in the sendData function: https://github.com/cherrytech/omnipay-paypal/commit/f520a015a91eb1bf2666892d3ef362607a74396f
  2. What you are suggesting, which is to set the cipher list to SSLv3 explicitly, will not work. PayPal have changed their servers to require TLS 1.2 and any SSLv3 connections will be rejected. The correct thing to do is to update the version of libcurl on your system to > 7.40 which will auto-negotiate the correct TLS 1.2 version.
delatbabel
  • 3,601
  • 24
  • 29
  • #1 - if I'm reading that right I have to modify core files? So, there's not way in OmniPay to do this? #2 - The version of curl on my server is 7.43.0 so that fix doesn't sound like it will work. – Lonnie Feb 16 '16 at 00:48
  • I have tested this myself with libcurl 7.44 on CentOS 6. It works fine for me without any code changes using the PayPal_Rest gateway. – delatbabel Feb 16 '16 at 01:05
  • Okay, I might need to reinstall then on my local server to get it working right. And you've got a good point about setting cipher list to SSLv3. Looks like that should be CURL_SSLVERSION_TLSv1_2 (or 6) instead to set the minor version. – Lonnie Feb 16 '16 at 02:27
  • Yes I believe that 6 is the correct answer, however if you don't have a libcurl that supports that, you will just get an exception thrown. I have tested this on my server with the updated libcurl without setting the SSL version, and letting libcurl auto negotiate. It works fine. I haven't seen any evidence that setting the SSL version to 6 or setting the cipher list makes any difference, however if you have a test case that proves it either way then I'd like to see that. – delatbabel Feb 16 '16 at 02:38