Just installed DreamFactory on a server and have it connecting correctly to the database. When trying to send a cURL request, I'm receiving this error:
curl: (35) Unknown SSL protocol error in connection to [api.domain.net].
I'm not exactly sure where to start to get this to work with an SSL connection to the database. Any help would be incredible at this point because searching this issue isn't helping much.
Are you forcing SSL3? Since DreamFactory docs say "Using SSL with our API requires SSL3" you may need to use the -3 or --sslv3 cURL options, as indicated on the cURL man page. The DreamFactory docs page of cURL examples uses the -3 option repeatedly. You will need to ensure that SSLv3 support is enabled in your web server of choice, as well.
This SO answer indicates the cURL error message "Unknown SSL protocol error" can be caused by using the wrong SSL/TLS protocol version, so the above is the most likely resolution given the details provided.
You will also need to ensure you've properly installed and enabled your SSL cert. If you deployed DreamFactory using Bitnami, you may want to review their documentation on enabling SSL. If you installed DreamFactory manually, you will need to consult documentation for your particular environment. Just visiting https://[api.domain.net] in a modern browser should give you a good indication of whether or not your cert is properly installed and enabled. Your browser will also report which version of SSL is being used.
Since your question is not specific and does not provide details on your setup, I cannot provide a more concrete answer. If you can edit to provide basic information, the community may provide a better response.
Related
I've put together a site utilising the Stripe payment system.
Upon making a test payment over HTTPS, I get the error:
Stripe no longer supports API requests made with TLS 1.0. Please initiate HTTPS connections with TLS 1.2 or later.
I've made sure all my versions of software are up to date:
PHP Version: 7.0.7
cUrl Version: 7.47.1
SSL Version: OpenSSL/1.0.2h
I've also tested my site itself on https://www.ssllabs.com/ssltest/analyze.html to make sure TLS 1.2 is enabled and functional on the server.
The only thing I can think is if there is possibly an issue with the certificate bundle I have registered in php.ini (CURL curl.cainfo setting), but since Stripe source has a "ca-certificates.crt" already included I wasn't sure if I even needed to set an entry for curl.cainfo in my php.ini file.
Any advice would be massively appreciated. If there is any additional information I can provide that might help, just let me know.
EDIT: Currently using Stripe's PHP Framework v4.1.1 (Latest)
The SSL cert you mentioned is used by your server to respond to incoming requests. What this means is that if I visit your website, as a customer, my browser (Chrome) will try to talk to your server over TLS 1.2 by default as it uses the most secure protocol first. Your server is apparently able to answer requests over TLS 1.2.
The issue we have right now is that when your server contacts Stripe's servers it negotiates TLS 1.0 by default instead of TLS 1.2. Since Stripe is going to deprecate requests made with TLS < 1.2 this means your requests will start failing next year if you don't upgrade.
What I'd recommend here is to talk with your webhost about this so that they can help you look into your setup and ensure that you do support TLS 1.2 requests from your server to Stripe's. Additionally, you can follow the steps outlined at https://support.stripe.com/questions/how-do-i-upgrade-my-stripe-integration-from-tls-1-0-to-tls-1-2 to ensure that your code libraries also support TLS 1.2.
This could also be caused by an outdated version of Stripe's PHP library. They released version 3.19.0 on Friday July 29th which corrected a bug that affected some setups which might explain why you're getting this error even if your host supports TLS 1.2. You may also try updating the Stripe PHP library that you are using to the current version to see if that solves your issue.
Problem was with my local issuer certificate, turns out I was on the right track.
Had to set a default value in my php.ini file for curl_cainfo and that fixed it.
I'm using the PHP userland library, found here: https://github.com/mongodb/mongo-php-library
, with documentation at: http://mongodb.github.io/mongo-php-library/classes/client/
How do I supply SSL options and which constructor to use? I'm assuming MongoDB/Client but documentation is sparse.
I have the usual on the server; CA file, server certificate and private key file with net.ssl being set to requireSSL.
So if anyone has tried anything, it'd be great if you can list what worked.
Update
A lot of googling took me to this page. and I could only get the mongo shell connected successfully, but definitely not through the php library. I am using MongoDB 3.2.1 on Centos7.
Additionally I see that client certificates need two additional fields in the x509 certificates[keyUsage = digitalSignature, extendedKeyUsage = clientAuth], as narrated here. Now although that isn't impossible, but isn't a very manageable or scalable way for my implementation in my opinion.
Also a strange thing I discovered is that the CN in the final client certificate needs to be "localhost.". You cannot omit the last period. And the --host argument accordingly has to be "localhost." (not just localhost) or else the validation fails. But if you try to create a certificate with the CN as just localhost, you will never be able to connect to the server and the validation would fail everytime.
The site that connect sandbox paypal works , until recently
it can connect will curl
but when it send the request at the second time
it show the error of
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
I have tried some reference online and set the SSL SHA-256 cert of it but it return same error. Other suggest switch to TLS at the curl connection but it may not perfered as there are many project I have handled.
Are there any suggestion to connect sandbox paypal with SSLv3? Thanks for helping.
You'll have to switch the cURL request to use TLS 1.2 in order to use the PayPal sandbox. I'm in the same boat, and there's no way around it, unfortunately. They just activated the change on the sandbox environment a few days ago.
https://devblog.paypal.com/upcoming-security-changes-notice/
I'll add some extra info on this since the first answer doesn't really cover all of the important points.
Paypal has started rolling out some upgrades, the sandbox now requires TLS 1.2 for all requests, and production systems will also require this from June 2016 onwards.
To support this you will need to:
Ensure your server has OpenSSL 1.0.1 or above (which is when TLS 1.2 support was added).
openssl version will show you your version number.
Once you meet that criteria, in your PHP code you can force the SSLVERSION to TLS 1.2 with the following command:
curl_setopt($curl, CURLOPT_SSLVERSION, 6);
Or if you want a less hacky solution, it is possible to have the correct SSL version kick in automatically during the handshake, where the client and server compare available ciphers to find a common protocol. You appear to be using PHP + curl, so you'll need PHP 5.5.19+ and curl 7.29+ for this to take place.
I have similar problem with error 14077410 and SSL3. I upgrade my PHP server from 5.4 to 7.0 and error disappear.
My college downloaded cert-name.crt file from external host. Now we need to connect to web service platform, obviously using their SSL certificate. We are a bit confused by OpenSSL documentation. Research didn't help either. All we get is 'Could not connect to host' PHP exception. Just to clear things, interface worked perfectly fine over unsecured HTTP. We use pure Soap library. As an act of desperation we also tried to connect with host without verification by disabling verify_peer variable in SoapClient stream context. Please help, we are under pressure.
To get your started:
By default, PHP looks for the CA file on UNIX systems in, make sure it is readable by the PHP invoker (user via cli, Apache user, etc..), and place the .crt file here:
/etc/pki/CA
Currently setting up a backup solution that sends a database dump and some other files from a Wordpress network to a NAS on my LAN, via WebDAV. I have installed PHP WebDAV on my web server and the basic code to get that that to work is:
webdav_connect('http://webdav.example.com/dav', 'davuser', 'davpassword');
webdav_put('/your/nice/thing.txt', $data);
webdav_close();
The issue is, my NAS requires this connection to be done via HTTPS, so in a web browser you'd see a warning which you can ignore, but PHP gives the following warning and the code fails:
Warning: webdav_put() [function.webdav-put]: Server certificate verification failed: certificate issued for a different hostname, issuer is not trusted in /var/www/vhosts/blah/blah/blah.php on line 5
Is there a way in which I can ask PHP to ignore this, or will I need to obtain an SSL certificate? The domain name used for accessing the WebDAV service on my NAS is one provided by Dynamic DNS if that makes a difference.
Is there a way in which I can ask PHP to ignore this, or will I need to obtain an SSL certificate?
I don't know which HTTP Layer PHP WebDAV uses (which extension are you using?), but often it's possible to configure the underlying layer to ignore certificate errors.
If you need certificate verification for security reasons, you should obtain a valid certificate.
Just for completeness as I don't like leaving things un-answered. I've decided to access my WebDAV service via SMEStorage. They provide an API which developers can use for this sort of thing:
http://smestorage.com/?p=static&page=for_developers