Error 0x1408F10B: "SSL3_GET_RECORD:wrong version number" with PayPal SDK

Arc picture Arc · Oct 15, 2014 · Viewed 27.1k times · Source

Looks like PayPal might have updated its systems in light of the POODLE attack, causing sites using the PHP PayPal SDK to break.

I get the error:

PayPal/Exception/PPConnectionException: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

/var/www/site/vendor/paypal/sdk-core-php/lib/PayPal/Core/PPHttpConnection.php:91
/var/www/site/vendor/paypal/sdk-core-php/lib/PayPal/Core/PPAPIService.php:66
/var/www/site/vendor/paypal/sdk-core-php/lib/PayPal/Core/PPBaseService.php:82
/var/www/site/vendor/paypal/adaptivepayments-sdk-php/lib/PayPal/Service/AdaptivePaymentsService.php:97

What would you recommend to fix this, without compromising security ?

Answer

Arc picture Arc · Oct 15, 2014

UPDATE: As Jaffer noted, PayPal's GitHub repository has already merged the changes below, so you might just update your SDK.

At least this seems to work for now, though I will have to investigate what protocol it will actually use.

\PayPal\Core\PPHttpConfig::$DEFAULT_CURL_OPTS[CURLOPT_SSLVERSION] = 1;
// 0 = default protocol (likely TLSv1), 1 = TLSv1; unsafe: 2 = SSLv2, 3 = SSLv3

For other people using cURL directly, just use

curl_setopt($handle, CURLOPT_SSLVERSION, 1);

UPDATE:
Just looked up the source to cURL, these are the values (// comments mine):

enum {  
    CURL_SSLVERSION_DEFAULT, // 0
    CURL_SSLVERSION_TLSv1,   // 1
    CURL_SSLVERSION_SSLv2,   // 2
    CURL_SSLVERSION_SSLv3,   // 3

    CURL_SSLVERSION_LAST /* never use, keep last */  // 4
};

So to summarize, yes, 1 is TLSv1 and judging from the comment, is probably better than 4.
Updated code above.