The bellow is my curl config of PPHttpConfig.php for paypal adaptive payment SDK,
public static $DEFAULT_CURL_OPTS = array(
CURLOPT_SSLVERSION => 4,
CURLOPT_CONNECTTIMEOUT => 10,
CURLOPT_RETURNTRANSFER => TRUE,
CURLOPT_TIMEOUT => 60, // maximum number of seconds to allow cURL functions to execute
CURLOPT_USERAGENT => 'PayPal-PHP-SDK',
CURLOPT_HTTPHEADER => array(),
CURLOPT_SSL_VERIFYHOST => 2,
CURLOPT_SSL_VERIFYPEER => FALSE,
CURLOPT_SSL_CIPHER_LIST => 'TLSv1',
);
But,getting error
Type PayPal\Exception\PPConnectionException
Message error:14077410:SSL
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
OpenSSL error messages tend towards cryptic and generic.
The most common causes for this error are that
the server certificate has expired
the server cerificate is invalid
the client and server can not negotiate a protocol level or cipher acceptable to both parties.
Your version of OpenSSL is relatively recent (but still out of date / containing serious vulnerabilities). I'd like to think that PayPal wouldn't let their certificates expire.
Less common reasons for seeing this error are
your database is CA certs is out of date
CACert database can't be found (is your PHP running in a chroot?)
you've got some silly entries in your openssl.cnf or it can't be found
you are sitting behind a MITM proxy you didn't know about
You didn't say where the PHP is running, what its running on, nor what acces you have to the machine. If it's a Linux box and you have shell access, you might want to see what happens when you probe the server from the command line.
Related
I use WordPress and I recently moved my site from the cpanel host to a Linux server with directadmin panel.
Right after the transfer realized that customers have the following error when downloading via EDD plugin.
cURL error 28: Resolving timed out after 5001 milliseconds
I also got this error of w3_total_cache plugin.
Server informatin:
Centos 6.8 (Final)
cURL 7.54.0 (Final)
directadmin
cURL error 28: Resolving timed out after 5001 milliseconds means DNS resolving failed.
so just change the DNS server list in /etc/resolv.conf.
or maybe we can bind the hostname and ip address in /etc/hosts.
this image shows the demo.
As reported here:
https://wordpress.org/support/topic/dropbox-upload-fails-with-curl-timeout-error/
You can apply this temporary fix to extend the HTTP request timeout:
add_filter( 'http_request_timeout', function( $timeout ) { return 60; });
Wordpress default is 5 seconds.
To resolve this you have to set the curl connection time out and time out value at the time of curl initialization.
Just changes this two property value.
CURLOPT_CONNECTTIMEOUT => 30,
CURLOPT_TIMEOUT => 60,
For more details check This.
update these two lines here:
/usr/share/icingaweb2/modules/jira/library/Jira/RestApi.php
$opts = array(
CURLOPT_URL => $this->url($url),
CURLOPT_HTTPHEADER => $headers,
CURLOPT_USERPWD => $auth,
CURLOPT_CUSTOMREQUEST => \strtoupper($method),
CURLOPT_RETURNTRANSFER => true,
CURLOPT_CONNECTTIMEOUT => 30,
CURLOPT_TIMEOUT => 30,
You can set
set_time_limit(120);
in the wp-config.php after the MySQL settings section.
i'm having a problem using Seller Center SDK from this site:
https://github.com/rocket-internet-berlin/SellerCenterSDK-PHP
i did exactly like what he told. and when i came to the point to test it
php ./genericGetter.php
i got error saying:
curl error 60: ssl certificate problem: unable to get local issuer certificate
i tried to turn off my firewall and added cacert.pem from this site https://curl.haxx.se/ca/cacert.pem to my php.ini and still no luck. can someone provide a solution?
You can try add it to php.ini
curl.cainfo=c:\path\to\cacert.pem
And try set opt_option if still not work.
$options = array(
CURLOPT_RETURNTRANSFER => true, // return web page
CURLOPT_HEADER => false, // don't return headers
CURLOPT_FOLLOWLOCATION => true, // follow redirects
CURLOPT_ENCODING => "", // handle all encodings
CURLOPT_USERAGENT => "spider", // who am i
CURLOPT_AUTOREFERER => true, // set referer on redirect
CURLOPT_CONNECTTIMEOUT => 120, // timeout on connect
CURLOPT_TIMEOUT => 120, // timeout on response
CURLOPT_MAXREDIRS => 10, // stop after 10 redirects
CURLOPT_SSL_VERIFYPEER => false // Disabled SSL Cert checks
);
curl_setopt_array( $ch, $options );
just figured it out.
inside vendor\guzzlehttp\guzzle\src\HandlerCurlFactory.php, on line 329; change;
$conf[CURLOPT_SSL_VERIFYPEER] = true;
to
$conf[CURLOPT_SSL_VERIFYPEER] = false;
so far, i don't know the side effect that might happens. but, it does work fine now.
hopefully this is useful for those who wants to work with Seller Center SDK.
If you can trust the source that you are consuming the resources from then arguably I would say that you can deactivate that option temporally as you already did but I would recommend you to check the root of the issue for a long-term solution.
It seems that the issue is with curl not having a valid certificate:
Check if your server has the latest cacert.pem file which you can download from https://curl.haxx.se/docs/caextract.html and add to the server certs directory.
if the server uses a certificate signed by a CA represented in cacert then it might be expired, or the name might not match the domain name your SDK is using.
If you still not having a solution then check the link below to see if one of the options provided can give you a solution:
curl: (60) SSL certificate : unable to get local issuer certificate
On an Ubuntu 14.04.3 this code works fine:
$url_login = "https://test.example.com/login.do";
$cert_file = '/var/www/html/test/cert.pem';
$ssl_key = '/var/www/html/test/cert_private.pem';
$post_fields = 'userAction=1&cancelReason=&cancelType=&account=&memoType=&userText=&userid=99999999&password=xxxxxxxxxxxxxxxx';
$ch = curl_init();
$options = array(
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_HEADER => 1,
CURLOPT_FOLLOWLOCATION => 1,
CURLOPT_SSL_VERIFYHOST => 0,
CURLOPT_SSL_VERIFYPEER => 0,
CURLOPT_USERAGENT => 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)',
CURLOPT_VERBOSE => 0,
CURLOPT_URL => $url_login ,
CURLOPT_SSLCERT => $cert_file ,
CURLOPT_SSLCERTTYPE, 'PEM',
CURLOPT_SSLKEY => $ssl_key,
CURLOPT_COOKIESESSION => 1,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => $post_fields
);
curl_setopt_array($ch , $options);
$output = curl_exec($ch);
The php on Ubuntu is using curl with openssl.
On a Centos 7 if fails with:
Curl Error : SSL peer was unable to negotiate an acceptable set of security parameters.
curl is here with nss.
The "cert.pem" contains only the client certificate with the cert-chain, and the "cert_private.pem" contains the private key not password protected. (-----BEGIN RSA PRIVATE KEY-----).
How can i get the above PHP code work with both? openssl and nss implementations of curl?
How about correcting:
CURLOPT_SSLCERTTYPE, 'PEM',
to
CURLOPT_SSLCERTTYPE => 'PEM',
?
I've also come across this problem using client certificate authentication with nss, while openssl works fine.
After much testing, this is what I've established with the server we're trying to contact:
curl using TLS v1.2 (default in some cases) with client certificate fails
curl using TLS v1.2 with client cert required by server, but not used by client, connects successfully. However client is not authenticated.
curl using TLS v1.0 with client certificate is successful
The above happens regardless of cipher suite, generally we're using rsa_aes_256_cbc_sha_256.
The quick workaround is to force TLS v1.0:
CURLOPT_SSLVERSION => 4,
Clearly this isn't ideal, and your server may not support it.
Another option is to compile curl with openssl or even GnuTLS (although I haven't tested the latter) instead of nss. Again, this may not be an option.
So far this points to a problem with NSS. I'll update this answer if further debugging generates any useful information.
Just for reference, this is the full error message using curl on the command line:
* NSS error -12227 (SSL_ERROR_HANDSHAKE_FAILURE_ALERT)
* SSL peer was unable to negotiate an acceptable set of security parameters.
* Closing connection 0
curl: (35) SSL peer was unable to negotiate an acceptable set of security parameters.
Update 2015-11-24: Further testing with Wireshark and ssltap shows the initial handshake is succeeding and the connection gets as far as the client sending ChangeCipherSpec, followed by its encrypted "Finished" message.
The server should then decrypt the client's "Finished" message, verify the hash and MAC and respond with its own encrypted "Finished" message. Instead, the server is responding with "handshake_failure" at this point.
This should provide a clue as to where NSS is failing.
Chrome, Openssl and Charles Proxy can all authenticate using the client certificate. Firefox (using NSS) and curl (with NSS) both fail at this point.
Update 2015-11-27: Additional information provided by the server's operations team suggests this may be an issue with a non-compliant server. The problem only arises when using TLS 1.2 under certain circumstances. This would explain why some SSL libraries, such as OpenSSL, are flexible enough to work around it.
NSS may be more strict in its compliance with RFCs. I'll update the answer if/when we hear more from the operations team managing the server.
Update 2017-01-25: The webserver software and load balancers are custom built for a specific bank's payment gateway. We've recently tried again with a new client and the server now appears to work with both Curl built with either NSS or OpenSSL and are no longer seeing the error. In summary: the workaround was to use a different SSL library and wait for the developers to fix the server software.
I updated my mac OS to OS X 10.9.
OS X 10.9/Apache 2.2.24/PHP 5.4.17
Now getting the error (Unknown SSL protocol error in connection to...) when attempting to connect to our remote server via cURL.
DEFINE("SSL_CERTTYPE", "PEM");
DEFINE("SSL_KEYPASS", "xxxxxxxxx");
DEFINE("SSL_CERT", $_SERVER['DOCUMENT_ROOT']."/certs/mycert.pem");
DEFINE("SSL_KEY", $_SERVER['DOCUMENT_ROOT']."/certs/mycert.key");
$options = array
(
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HEADER => false,
CURLOPT_FOLLOWLOCATION => false,
CURLOPT_VERBOSE => false,
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSLCERT => SSL_CERT,
CURLOPT_SSLKEY => SSL_KEY,
CURLOPT_SSLKEYPASSWD => SSL_KEYPASS,
CURLOPT_SSLCERTTYPE => SSL_CERTTYPE,
);
I have tried setting the SSLVERSION to both 2 and 3 but I still get the error.
Not sure if this is an Apache or PHP issue. Any guidance would be greatly appreciated.
*It's also worth noting this was working on 10.8 prior to the update.
This actually has to do with curl: http://curl.haxx.se/mail/archive-2013-10/0036.html
Apparently Apple moved from OpenSSL to their own Secure Transport protocol which seems to have broken curl's handling of client-side certificates (if required for the connection). The only workaround I've found so far is to remove the client-side certificate requirement, which unfortunately isn't ideal.
-- Update --
It appears as though you should be able to use Keychain Access to get this to work, but I haven't been able to thus far.
I've downloaded Amazon's Marketplace SDK and I'm trying out one of the samples in the samples dir. However, I'm getting an exception with the following details whenever I try it:
Caught Exception: Internal Error
Response Status Code: 0
Error Code:
Error Type:
Request ID:
XML: RequestId: , ResponseContext: , Timestamp:
ResponseHeaderMetadata:
I have got CURL enabled with SSL as well. What am I doing wrong?
This answer is for future reference. For in-depth troubleshooting, see comments on the question.
The empty response indicates a failed connection to the Amazon server. In this case, HTTP worked fine, but HTTPS did not. As turning off CURLOPT_SSL_VERIFYPEER in the cURL settings solved the issue, it appears that the Amazon server was not using a valid SSL certificate.
Having CURLOPT_SSL_VERIFYPEER turned on checks if the requested host has a valid certificate and lets cURL return false if it doesn't. When CURLOPT_SSL_VERIFYPEER is off, invalid certificates (e.g., self-signed) are accepted and return the regular response.
For future reference. In the new version of the SDK the options are referenced in the client.php as follows
private function getDefaultCurlOptions() {
return array (
CURLOPT_POST => true,
CURLOPT_USERAGENT => $this->config['UserAgent'],
CURLOPT_VERBOSE => true,
CURLOPT_HEADERFUNCTION => array ($this, 'headerCallback'),
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_SSL_VERIFYHOST => 2
);
}
setting
CURLOPT_SSL_VERIFYPEER => false,
did the trick in my case. As I am not a security expert, however, no recommendation from this point of view. At least its working and you are probably not loosing 1 whole day as I did.
I experienced a very similar connection issue with Amazon. It was the sample files bundled with the Amazon php api, which contain a following configuration array:
$config = array (
'ServiceURL' => $serviceUrl,
'ProxyHost' => null,
'ProxyPort' => -1,
'MaxErrorRetry' => 3,
);
and if this is copied over and not modified
'ProxyPort' => -1,
will result in an attempt to connect through a proxy port -1 which will of course fail (issue tracked by checking curl error). I hope this helps.