Update PHP cURL request from SSLv3 to TLS..?

Question

Because of the recent vulnerability discovered in SSLv3, many web service providers (ie. PayPal, Facebook, Google) are disabling that and wanting us to use TLS instead. I'm having a little bit of trouble figuring out how to do this.

I'm currently using the following function to handle my cURL requests.

function CURLRequest($Request = "", $APIName = "", $APIOperation = "", $PrintHeaders = false)
{
    $curl = curl_init();
            curl_setopt($curl, CURLOPT_VERBOSE, 1);
            curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
            curl_setopt($curl, CURLOPT_TIMEOUT, 30);
            curl_setopt($curl, CURLOPT_URL, $this->EndPointURL);
            curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($curl, CURLOPT_POSTFIELDS, $Request);

    if($this->APIMode == 'Certificate')
    {
        curl_setopt($curl, CURLOPT_SSLCERT, $this->PathToCertKeyPEM);
    }

    $Response = curl_exec($curl);

    /*
     * If a cURL error occurs, output it for review.
     */
    if($this->Sandbox)
    {
        if(curl_error($curl))
        {
            echo curl_error($curl).'<br /><br />';  
        }
    }

    curl_close($curl);
    return $Response;   
}

When I try hitting PayPal's sandbox, though, where they've already disabled this, I end up with a cURL error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

The info that I've found is that I just need to change this to use TLS instead of SSL, and the other answers I've seen say to simply do that by adding a curl option to my function...

curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);

I've added that option, though, and I still get the exact same result. Any information on how I can get this working would be greatly appreciated. Thanks!

Answer 1

Copied from: SSL error can not change to TLS

Try add curl_setopt($curl, CURLOPT_SSL_CIPHER_LIST, 'TLSv1'); to your code.

This will work if you cURL is OpenSSL libssl based but not if nss based.

Answer 2

A better solution until Paypal updates its core SDK would be to override the CURLOPT_SSL_CIPHER_LIST directly in your application. This way you don't have to interfere with the sdk-core-php package directly and you will be free to upgrade it in future.

You could add something like the following to your app's bootstrap or payment processing logic:

PPHttpConfig::$DEFAULT_CURL_OPTS[CURLOPT_SSL_CIPHER_LIST] = 'TLSv1';

Just make sure you comment it thoroughly and remember to take it out later when the issue has been patched in the core.