I am getting this error when connecting the PayPal (NVP) API;
CURL Request failed: SSL connect error(35)
This means that I can't connect because I am probably using SSL3, how can I fix this issue as I can't go live without testing.. Do I have to change my server or can I fix it in the CURL request?
I have the workaround solution which you facing now(i too facing the problem from last week with sandbox environment) now you should try something like in your curl call
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSLVERSION, 6); //6 is for TLSV1.2
DETAILS
CURLOPT_SSLVERSION
One of CURL_SSLVERSION_DEFAULT (0), CURL_SSLVERSION_TLSv1 (1), CURL_SSLVERSION_SSLv2 (2), CURL_SSLVERSION_SSLv3 (3), CURL_SSLVERSION_TLSv1_0 (4), CURL_SSLVERSION_TLSv1_1 (5) or CURL_SSLVERSION_TLSv1_2 (6)
.
Note:
Your best bet is to not set this and let it use the default. Setting it to 2 or 3 is very dangerous given the known vulnerabilities
in SSLv2 and SSLv3.
CREDITS: http://php.net/manual/en/function.curl-setopt.php
Hope it helps to someone.
We also faced the same issue, and we fixed this issue by setup the SSL to our server and created ca-certificate and then added ca-certification path in our curl call like the following example.
CURLOPT_SSL_VERIFYPEER => true,
CURLOPT_SSL_VERIFYHOST => 2,
CURLOPT_CAINFO =>'cert.pem',
NOTE: Please check your curl version and update it to latest one.
Server admin people may aware of this, like how to setup SSL as well as how to obtain the ca certificate.
ALL THE BEST,
curl_setopt($s, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
Related
I create a php-curl file to akses API from another server:
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://192.168.4.2/sdk_service/rest/users/login/v1.1');
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
// curl_setopt($ch, CURLOPT_CAINFO, "C:/xampp/htdocs/curl/cibinong/cacert.pem");
// curl_setopt($ch, CURLOPT_CAPATH, "C:/xampp/htdocs/curl/cibinong/");
$result = curl_exec($ch);
if (curl_error($ch)) {
echo curl_error($ch);
}
print_r($result);
I got error message:
SSL certificate problem: unable to get local issuer certificate
Help Me, maybe i miss something?
The problem is in the fact that you get an invalid SSL certificate, you need to turn off some checks. Can you try it with the following options?
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
This will skips the verification of the SSL host and SSL peer. Because, that is what you need in this case.
You're accessing a HTTPS URL using an IP address, which is very rarely actually working. Most sites require a name for SNI to be used to get the correct server cert and many CAs don't even sell you certs for plain IP addresses.
Instead of disabling the cert-check you should consider accessing this server using its "proper" and offical name so that the server knows which cert to offer in the TLS handshake.
If you really want to connect to this specific IP address and still use the right name in the URL, you can do so with the CURLOPT_RESOLVE option. Documented among the other CURL options.
Don't settle with disabling the cert-check. That's a poor work-around that only risks sticking around forever and makes you vulnerable.
For some reason I am unable to use CURL with HTTPS. Everything was working fine untill I ran upgrade of curl libraries. Now I am experiencing this response when trying to perform CURL requests: Problem with the SSL CA cert (path? access rights?)
Following suggestions posted here on related issues I have tried to do the following:
Disable verification for host and peer
curl_setopt($cHandler, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($cHandler, CURLOPT_SSL_VERIFYPEER, true);
Enable CURLOPT_SSL_VERIFYPEER and point to cacert.pem downloaded from http://curl.haxx.se/docs/caextract.html
curl_setopt($cHandler, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($cHandler, CURLOPT_CAINFO, getcwd() . "/positiveSSL.ca-bundle");
I also tried to do the same thing with positiveSSL.ca-bundle which was provided as bundle CA certificate for the server I am trying to connect to.
Edit php ini settings with curl.cainfo=cacert.pem (file in the same directory and accessible by apache)
Rename /etc/pki/nssdb to /etc/pki/nssdb.old
Unfortunatelly none of the above are able to solve my problem and I constantly get Problem with the SSL CA cert (path? access rights?) message.
And I don't need this verification in the first place (I am aware of security issues).
Does anybody have any other suggestions?
UPDATE
After updating to the latest libraries and restart of the whole box, not just apache which I was doing it all seems to be working now again!!!
According to documentation: to verify host or peer certificate you need to specify alternate certificates with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option.
Also look at CURLOPT_SSL_VERIFYHOST:
1 to check the existence of a common name in the SSL peer certificate.
2 to check the existence of a common name and also verify that it matches the hostname provided.
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); // Return data inplace of echoing on screen
curl_setopt($ch, CURLOPT_URL, $strURL);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // Skip SSL Verification
$rsData = curl_exec($ch);
curl_close($ch);
return $rsData;
We had the same problem on a CentOS7 machine. Disabling the VERIFYHOST VERIFYPEER did not solve the problem, we did not have the cURL error anymore but the response still was invalid. Doing a wget to the same link as the cURL was doing also resulted in a certificate error.
-> Our solution also was to reboot the VPS, this solved it and we were able to complete the request again.
For us this seemed to be a memory corruption problem. Rebooting the VPS reloaded the libary in the memory again and now it works. So if the above solution from #clover does not work try to reboot your machine.
In the middle of integrating OmniPay currently. Seems all good, but when I go to use the PayPalExpress gateway, it gives me the following error:
[curl] 35: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure [url] https://api-3t.sandbox.paypal.com/nvp?VERSION=119.0&USER=...
Tracking things down it seems to be an issue with PayPal's SSL updates and I need to tell it to use SSL3 and the updated cipher list:
curl_setopt($ch, CURLOPT_SSLVERSION, 3);
curl_setopt($ch, CURLOPT_SSL_CIPHER_LIST, 'SSLv3');
However, I haven't been able to figure out a way to pass these options on to Guzzle and then on to curl. Anyone know how I can accomplish this?
To pass options to curl or guzzle you need to do something like this in the sendData function: https://github.com/cherrytech/omnipay-paypal/commit/f520a015a91eb1bf2666892d3ef362607a74396f
What you are suggesting, which is to set the cipher list to SSLv3 explicitly, will not work. PayPal have changed their servers to require TLS 1.2 and any SSLv3 connections will be rejected. The correct thing to do is to update the version of libcurl on your system to > 7.40 which will auto-negotiate the correct TLS 1.2 version.
For some reason I am unable to use CURL with HTTPS. Everything was working fine untill I ran upgrade of curl libraries. Now I am experiencing this response when trying to perform CURL requests: Problem with the SSL CA cert (path? access rights?)
Following suggestions posted here on related issues I have tried to do the following:
Disable verification for host and peer
curl_setopt($cHandler, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($cHandler, CURLOPT_SSL_VERIFYPEER, true);
Enable CURLOPT_SSL_VERIFYPEER and point to cacert.pem downloaded from http://curl.haxx.se/docs/caextract.html
curl_setopt($cHandler, CURLOPT_SSL_VERIFYPEER, true);
curl_setopt($cHandler, CURLOPT_CAINFO, getcwd() . "/positiveSSL.ca-bundle");
I also tried to do the same thing with positiveSSL.ca-bundle which was provided as bundle CA certificate for the server I am trying to connect to.
Edit php ini settings with curl.cainfo=cacert.pem (file in the same directory and accessible by apache)
Rename /etc/pki/nssdb to /etc/pki/nssdb.old
Unfortunatelly none of the above are able to solve my problem and I constantly get Problem with the SSL CA cert (path? access rights?) message.
And I don't need this verification in the first place (I am aware of security issues).
Does anybody have any other suggestions?
UPDATE
After updating to the latest libraries and restart of the whole box, not just apache which I was doing it all seems to be working now again!!!
According to documentation: to verify host or peer certificate you need to specify alternate certificates with the CURLOPT_CAINFO option or a certificate directory can be specified with the CURLOPT_CAPATH option.
Also look at CURLOPT_SSL_VERIFYHOST:
1 to check the existence of a common name in the SSL peer certificate.
2 to check the existence of a common name and also verify that it matches the hostname provided.
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); // Return data inplace of echoing on screen
curl_setopt($ch, CURLOPT_URL, $strURL);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); // Skip SSL Verification
$rsData = curl_exec($ch);
curl_close($ch);
return $rsData;
We had the same problem on a CentOS7 machine. Disabling the VERIFYHOST VERIFYPEER did not solve the problem, we did not have the cURL error anymore but the response still was invalid. Doing a wget to the same link as the cURL was doing also resulted in a certificate error.
-> Our solution also was to reboot the VPS, this solved it and we were able to complete the request again.
For us this seemed to be a memory corruption problem. Rebooting the VPS reloaded the libary in the memory again and now it works. So if the above solution from #clover does not work try to reboot your machine.
I have this error when using CURLOPT_SSL_VERIFYHOST:
Curl error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
What I tried:
1 - turning off VERIFYHOST is not an option, I need this to login to https page
2 - downloaded certificate and I use it like this:
curl_setopt($c, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($c, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($c, CURLOPT_CAINFO, getcwd() . '/certificate.pl.crt');
And I still get the same error.
3 - I turned on ssl_module in Apache extensions (I use WAMP)
4 - I turned on php_openssl in PHP extensions
What else should I do? From phpinfo(); I know that I have:
mod_ssl/2.2.22
OpenSSL/0.9.8u
And it still doesn't work. What else should I do :( ?
had to edit this as I missed some comments before.
If you don't try to import your certificate and switch peer validation off, your transport should still be SSL secured if I'm not mistaking, so if the goal is to get it over ssl , then I wouldn't bother messing with the import of certificates. Of course if you do want some more peace of mind it's a different thing.