1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed 1.5.6 "Unsupported SSL protocol" server errors

Discussion in 'Resolved Bug Reports' started by Myke623, Mar 7, 2016.

  1. Myke623

    Myke623 Active Member

    Since recently upgrading to 1.5.6 I noticed today a heap of server errors related to Unsupported SSL protocol:

    Connection to PayPal failed: Error in cURL request: Unsupported SSL protocol

    Error Info
    Zend_Http_Client_Exception: Connection to PayPal failed: Error in cURL request: Unsupported SSL protocol version - library/Zend/Http/Client/Adapter/Curl.php:423
    Generated By: Unknown Account, Today at 3:14 PM
    Stack Trace
    #0 /home/myhost/public_html/library/Zend/Http/Client.php(987): Zend_Http_Client_Adapter_Curl->write('POST', Object(Zend_Uri_Http), '1.1', Array, 'cmd=_notify-val...')
    #1 /home/myhost/public_html/library/XenForo/UserUpgradeProcessor/PayPal.php(161): Zend_Http_Client->request('POST')
    #2 /home/myhost/public_html/payment_callback.php(24): XenForo_UserUpgradeProcessor_PayPal->validateRequest('Connection to P...')
    #3 {main}​

    I'm aware that PayPal will require TLS 1.2 come June 2016, and that my server does not (yet) meet this requirement, but I was surprised to see these messages being generated so soon. FWIW, it seems as though the payment was still successful on the PayPal end.
     
  2. Brogan

    Brogan XenForo Moderator Staff Member

    I mentioned some similar errors to Mike last week (Connection to PayPal failed: Error in cURL request: error:140740BF:SSL routines:SSL23_CLIENT_HELLO:no protocols available).

    The payments will still go through (as noted) but you will need to manually promote if it is related to a user upgrade.
     
  3. Mike

    Mike XenForo Developer Staff Member

    This appears to be a situation where PHP supports what is required but cURL doesn't. I suspect it's down to an old version of cURL (or perhaps an old version of OpenSSL bound to it, but PHP is likely using the same version). Can you provide your cURL version details from PHP info output (admin.php?tools/phpinfo).
     
  4. Myke623

    Myke623 Active Member

    The cURL Information reports as 7.38.0.
     

    Attached Files:

  5. Mike

    Mike XenForo Developer Staff Member

    So in this case, I think the issue comes from you having a version of cURL that knows about TLS 1.2 (>= 7.34.0) but SSL bindings that don't support it (OpenSSL < 1.0.0). In Brogan's case, the server cURL doesn't know about TLS 1.2, so my understanding of the documentation is that it should behave as in the default case then, but it appears it doesn't. We shouldn't have to force an SSL method manually as it should be negotiated, but we have seen a case where it didn't do this.

    As a workaround, in library/XenForo/UserUpgradeProcessor/PayPal.php, you should be able to replace:
    Code:
    if (in_array('tlsv1.2', $transports))
    with:
    Code:
    if (true)
    And I believe that will function correctly (provided PHP at least has some SSL support in it).
     
  6. Myke623

    Myke623 Active Member

    I've made the change and will report back in a couple of days, or when another payment has occurred.
     
  7. Mike

    Mike XenForo Developer Staff Member

    I think I have a proper fix for this now and I have sent you a message with that for testing. There are a lot of permutations here, so I'm not 100% sure it's a solution for everyone but I hope it is.

    If anyone runs into any errors relating to connecting to PayPal for user upgrades, please send me a message and I can send you the fixed file so we can confirm it works in your situation.
     
  8. cra0

    cra0 New Member

    I ran into this problem what do I do my curl is the same version as that guy above ^
    Connection to PayPal failed: Error in cURL request: Unsupported SSL protocol version

    I changed the code to if(true)
    it works now but yeah what is the ultimate fix can someone help?
     
    Last edited: Apr 25, 2016
  9. Myke623

    Myke623 Active Member

    From my own experience, and from the 1.5.7 release notes:
    I was pretty sure this was fixed in the current release.
     
  10. Mike

    Mike XenForo Developer Staff Member

    There have been a couple further tweaks (post 1.5.7), though we haven't had many reports of issues. One was seemingly down to cURL incorrectly reporting the OpenSSL version (or an OpenSSL with some elements backported) and another appears to be related to a specific version of NSS being used with cURL on PHP < 5.5.

    I've attached a tweaked version of library/XenForo/UserUpgradeProcessor/PayPal.php which you can try if you want to give it a shot.
     

    Attached Files:

    Myke623 and eva2000 like this.

Share This Page