Error 0x1408F10B: "SSL3_GET_RECORD:wrong version number" with PayPal SDK
Looks like PayPal might have updated its systems in light of the POODLE attack, causing sites using the PHP PayPal SDK to break.
I get the error:
PayPal/Exception/PPConnectionException: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
/var/www/site/vendor/paypal/sdk-core-php/lib/PayPal/Core/PPHttpConnection.php:91
/var/www/site/vendor/paypal/sdk-core-php/lib/PayPal/Core/PPAPIService.php:66
/var/www/site/vendor/paypal/sdk-core-php/lib/PayPal/Core/PPBaseService.php:82
/var/www/site/vendor/paypal/adaptivepayments-sdk-php/lib/PayPal/Service/AdaptivePaymentsService.php:97
What would you recommend to fix this, without compromising security ?
Answer
UPDATE: As Jaffer noted, PayPal's GitHub repository has already merged the changes below, so you might just update your SDK.
At least this seems to work for now, though I will have to investigate what protocol it will actually use.
\PayPal\Core\PPHttpConfig::$DEFAULT_CURL_OPTS[CURLOPT_SSLVERSION] = 1;
// 0 = default protocol (likely TLSv1), 1 = TLSv1; unsafe: 2 = SSLv2, 3 = SSLv3
For other people using cURL directly, just use
curl_setopt($handle, CURLOPT_SSLVERSION, 1);
UPDATE:
Just looked up the source to cURL, these are the values (// comments mine):
enum {
CURL_SSLVERSION_DEFAULT, // 0
CURL_SSLVERSION_TLSv1, // 1
CURL_SSLVERSION_SSLv2, // 2
CURL_SSLVERSION_SSLv3, // 3
CURL_SSLVERSION_LAST /* never use, keep last */ // 4
};
So to summarize, yes, 1 is TLSv1 and judging from the comment, is probably better than 4.
Updated code above.