PayPal IPN acknowledgements failing with SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

ssl paypal paypal-ipn
ianhk picture ianhk · Oct 15, 2014 · Viewed 30.6k times · Source

With no changes on our side and perhaps related to POODLE/SSL3 our PayPal API call to PPIPNMessage::validate is now failing with.

SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure

The checkout and receipt of IPN is fine (and we have never supported SSL3 incoming), it's just failing when acknowledging the IPN (oddly PayPal doesn't try again, even though we have failed)

Running curl from the same server command line succeeds

$ curl -iv https://ipnpb.paypal.com/cgi-bin/webscr
* About to connect() to ipnpb.paypal.com port 443 (#0)
*   Trying 173.0.88.8... connected
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES256-SHA
* Server certificate:
*    subject: 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=Delaware; businessCategory=Private Organization; serialNumber=3014267; C=US; postalCode=95131-2021; ST=California; L=San Jose; street=2211 N 1st St; O=PayPal, Inc.; OU=PayPal Production; CN=ipnpb.paypa
*    start date: 2013-06-28 00:00:00 GMT
*    expire date: 2015-08-02 23:59:59 GMT
*    subjectAltName: ipnpb.paypal.com matched
*    issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)06; CN=VeriSign Class 3 Extended Validation SSL CA
*    SSL certificate verify ok.
> GET /cgi-bin/webscr HTTP/1.1
> User-Agent: curl/7.22.0 (x86_64-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3
> Host: ipnpb.paypal.com
> Accept: */*

I did note that ssllabs.com shows 1 out of 4 IPs still supporting SSL3 on this endpoint.

Answer

ianhk picture ianhk · Oct 15, 2014

This is the same problem as Error 0x1408F10B: "SSL3_GET_RECORD:wrong version number" with PayPal SDK

The version of PayPal API we are using hard codes CURLOPT_SSLVERSION to 3.

Our fix is to insert this before any PayPal calls.

PPHttpConfig::$DEFAULT_CURL_OPTS[CURLOPT_SSLVERSION] = 4;

Related questions

Paypal Access - SSL certificate: unable to get local issuer certificate

I'm working with cUrl and PHP to make a request to a server (for paypal access) Paypal developer website does never mention that an SSL certificate is required to use PayPal access API, however the code that I use to …

Read More
Error 0x1408F10B: "SSL3_GET_RECORD:wrong version number" with PayPal SDK

Looks like PayPal might have updated its systems in light of the POODLE attack, causing sites using the PHP PayPal SDK to break. I get the error: PayPal/Exception/PPConnectionException: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version …

Read More
Paypal can not connect to Sandbox server. Return error 14077410 (sslv3 alert handshake failure)

The site that connect sandbox paypal works , until recently it can connect will curl but when it send the request at the second time it show the error of error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure …

Read More