Fixed 1.5.6 "Unsupported SSL protocol" server errors

[Myke623]

Since recently upgrading to 1.5.6 I noticed today a heap of server errors related to Unsupported SSL protocol:

Connection to PayPal failed: Error in cURL request: Unsupported SSL protocol

Error Info
Zend_Http_Client_Exception: Connection to PayPal failed: Error in cURL request: Unsupported SSL protocol version - library/Zend/Http/Client/Adapter/Curl.php:423
Generated By: Unknown Account, Today at 3:14 PM
Stack Trace
#0 /home/myhost/public_html/library/Zend/Http/Client.php(987): Zend_Http_Client_Adapter_Curl->write('POST', Object(Zend_Uri_Http), '1.1', Array, 'cmd=_notify-val...')
#1 /home/myhost/public_html/library/XenForo/UserUpgradeProcessor/PayPal.php(161): Zend_Http_Client->request('POST')
#2 /home/myhost/public_html/payment_callback.php(24): XenForo_UserUpgradeProcessor_PayPal->validateRequest('Connection to P...')
#3 {main}​

I'm aware that PayPal will require TLS 1.2 come June 2016, and that my server does not (yet) meet this requirement, but I was surprised to see these messages being generated so soon. FWIW, it seems as though the payment was still successful on the PayPal end.

 

[Paul B]

I mentioned some similar errors to Mike last week (Connection to PayPal failed: Error in cURL request: error:140740BF:SSL routines:SSL23_CLIENT_HELLO:no protocols available).

The payments will still go through (as noted) but you will need to manually promote if it is related to a user upgrade.

 

[Mike]

This appears to be a situation where PHP supports what is required but cURL doesn't. I suspect it's down to an old version of cURL (or perhaps an old version of OpenSSL bound to it, but PHP is likely using the same version). Can you provide your cURL version details from PHP info output (admin.php?tools/phpinfo).

 

[Myke623]

The cURL Information reports as 7.38.0.

 

[Mike]

So in this case, I think the issue comes from you having a version of cURL that knows about TLS 1.2 (>= 7.34.0) but SSL bindings that don't support it (OpenSSL < 1.0.0). In Brogan's case, the server cURL doesn't know about TLS 1.2, so my understanding of the documentation is that it should behave as in the default case then, but it appears it doesn't. We shouldn't have to force an SSL method manually as it should be negotiated, but we have seen a case where it didn't do this.

As a workaround, in library/XenForo/UserUpgradeProcessor/PayPal.php, you should be able to replace:

if (in_array('tlsv1.2', $transports))

with:

if (true)

And I believe that will function correctly (provided PHP at least has some SSL support in it).

 

[Myke623]

I've made the change and will report back in a couple of days, or when another payment has occurred.

 

[Mike]

I think I have a proper fix for this now and I have sent you a message with that for testing. There are a lot of permutations here, so I'm not 100% sure it's a solution for everyone but I hope it is.

If anyone runs into any errors relating to connecting to PayPal for user upgrades, please send me a message and I can send you the fixed file so we can confirm it works in your situation.

 

[cra0]

I ran into this problem what do I do my curl is the same version as that guy above ^
Connection to PayPal failed: Error in cURL request: Unsupported SSL protocol version

I changed the code to if(true)
it works now but yeah what is the ultimate fix can someone help?

 

[Myke623]

From my own experience, and from the 1.5.7 release notes:

• Improved usage of cURL in the PayPal upgrade processor to ensure that requests are still successful before the TLS 1.2 transition is required.

I was pretty sure this was fixed in the current release.

 

[Mike]

There have been a couple further tweaks (post 1.5.7), though we haven't had many reports of issues. One was seemingly down to cURL incorrectly reporting the OpenSSL version (or an OpenSSL with some elements backported) and another appears to be related to a specific version of NSS being used with cURL on PHP < 5.5.

I've attached a tweaked version of library/XenForo/UserUpgradeProcessor/PayPal.php which you can try if you want to give it a shot.