PayPal TLS Test URL - PHP curl SSL protocol error

Question

I'm trying to test against a new PayPal test endpoint: https://tlstest.paypal.com.

See the very bottom of this page: TLS 1.2 and HTTP/1.1 Upgrade Microsite (Verify your...).

I'm using PHP (5.3.28) and curl (7.30.0 - OpenSSL/0.9.8y - libssh2/1.4.2) on Windows Server 2008 R2 and IIS 7.5:

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://tlstest.paypal.com');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FAILONERROR, true);
curl_setopt($ch, CURLOPT_SSLVERSION, 6); // CURL_SSLVERSION_TLSv1_2
$result = curl_exec($ch);
echo 'result = '.$result.'<br>';
echo 'errno = '.curl_errno($ch).'<br>';
echo 'error = '.curl_error($ch).'<br>';
curl_close($ch);

I'm getting this error:

35 Unknown SSL protocol error in connection to tlstest.paypal.com:443

I found this: Github - Unknown SSL protocol error in which someone says:

Openssl must be at 1.0.1 or higher for TLS 1.2.

Is this correct..?

My PHP OpenSSL is on version: OpenSSL/0.9.8y (from phpinfo()).

If you do need OpenSSL 1.0.1 or higher to use TLS 1.2 then presumably every server running PHP with a lesser OpenSSL version (I'm guessing that's a lot!) will be unable to use any PayPal API's or the PayPal IPN soon.

How do I update my PHP OpenSSL version on Windows..?

Answer 1

I have this working now. It seems as though at least OpenSSL/1.0.1i is required for TLS 1.2.

I upgraded my PHP version to 5.6.0, which upgraded OpenSSL to version 1.0.1.

I also needed these:

1. Use curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); to verify the certificate. The default is true as of cURL 7.10.
2. Save cacert.pem from http://curl.haxx.se/docs/caextract.html locally (in my case to c:\cert), then update the PHP ini that you're using to reference cacert.pem as shown here. Using the ini file saves you having to use curl_setopt($ch, CURLOPT_CAINFO, dirname(__FILE__) . '\cacert.pem'); in every call.