Error 0x1408F10B: "SSL3_GET_RECORD:wrong version number" with PayPal SDK

Question

Looks like PayPal might have updated its systems in light of the POODLE attack, causing sites using the PHP PayPal SDK to break.

I get the error:

PayPal/Exception/PPConnectionException: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

/var/www/site/vendor/paypal/sdk-core-php/lib/PayPal/Core/PPHttpConnection.php:91
/var/www/site/vendor/paypal/sdk-core-php/lib/PayPal/Core/PPAPIService.php:66
/var/www/site/vendor/paypal/sdk-core-php/lib/PayPal/Core/PPBaseService.php:82
/var/www/site/vendor/paypal/adaptivepayments-sdk-php/lib/PayPal/Service/AdaptivePaymentsService.php:97

What would you recommend to fix this, without compromising security ?

Answer 1

UPDATE: As Jaffer noted, PayPal's GitHub repository has already merged the changes below, so you might just update your SDK.

At least this seems to work for now, though I will have to investigate what protocol it will actually use.

\PayPal\Core\PPHttpConfig::$DEFAULT_CURL_OPTS[CURLOPT_SSLVERSION] = 1;
// 0 = default protocol (likely TLSv1), 1 = TLSv1; unsafe: 2 = SSLv2, 3 = SSLv3

For other people using cURL directly, just use

curl_setopt($handle, CURLOPT_SSLVERSION, 1);

UPDATE:
Just looked up the source to cURL, these are the values (// comments mine):

enum {  
    CURL_SSLVERSION_DEFAULT, // 0
    CURL_SSLVERSION_TLSv1,   // 1
    CURL_SSLVERSION_SSLv2,   // 2
    CURL_SSLVERSION_SSLv3,   // 3

    CURL_SSLVERSION_LAST /* never use, keep last */  // 4
};

So to summarize, yes, 1 is TLSv1 and judging from the comment, is probably better than 4.
Updated code above.

Answer 2

PayPal have officially released an update to the PHP SDK to address this issue, which was posted in the Github PR Jaffer linked to

https://github.com/paypal/rest-api-sdk-php/releases/tag/v0.13.1

Answer 3

For people who are using https://github.com/Quixotix/PHP-PayPal-IPN, just set false to force_ssl_v3:

$listener = new IpnListener();
$listener->force_ssl_v3 = false;