贝宝IPN侦听器-SSL证书握手失败
[英]PayPal IPN Listener - SSL Certificate Handshake Failure
问题描述
Running PHP 5.3.28 and curl 7.30.0 (OpenSSL/0.9.8y & libssh2/1.4.2) on Windows Server 2008 R2 using IIS. 
使用IIS在Windows Server 2008 R2上运行PHP 5.3.28和curl 7.30.0(OpenSSL / 0.9.8y&libssh2 / 1.4.2)。
I'm creating a IPN listener for PayPal Instant Payment Notifications using their sandbox environment, but no matter what I do I get SSL certificate errors like: 我正在使用他们的沙盒环境为PayPal即时付款通知创建IPN侦听器,但是无论如何我都会收到SSL证书错误,例如:
error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Here is my code (where $fields are the correct fields to POST back): 这里是我的代码(其中$fields是正确的领域POST回):
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://www.sandbox.paypal.com/cgi-bin/webscr';
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $fields);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FAILONERROR, true);
if ($result = curl_exec($ch)) {
echo 'result = '.$result.'<br>';
} else {
echo 'result = '.$result.'<br>';
echo 'errno = '.curl_errno($ch).'<br>';
echo 'error = '.curl_error($ch).'<br>';
}
curl_close($ch);
So, I understand that the PayPal server requires TLS 1.2 and does not support SSL 2/3 , but I can't seem to get my POST request to work. 因此,我知道PayPal服务器需要TLS 1.2,并且不支持SSL 2/3 ,但是我似乎无法使POST请求生效。 I've tried: 我试过了:
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
...and I get the same error. ...我得到同样的错误。 I've also tried: 我也尝试过:
curl_setopt($ch, CURLOPT_SSLVERSION, n);
...which gets these results: ...得到以下结果:
- [default] =
35 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure[默认值] = 35 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure - 0 CURL_SSLVERSION_DEFAULT =
35 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure0 CURL_SSLVERSION_DEFAULT = 35 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure - 1 CURL_SSLVERSION_TLSv1 =
35 error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure1 CURL_SSLVERSION_TLSv1 = 35 error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure - 2 CURL_SSLVERSION_SSLv2 =
4 OpenSSL was built without SSLv2 support2 CURL_SSLVERSION_SSLv2 = 4 OpenSSL was built without SSLv2 support - 3 CURL_SSLVERSION_SSLv3 =
35 error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure3 CURL_SSLVERSION_SSLv3 = 35 error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure - 4 CURL_SSLVERSION_TLSv1_0 =
35 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure4 CURL_SSLVERSION_TLSv1_0 = 35 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure - 5 CURL_SSLVERSION_TLSv1_1 =
35 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure5 CURL_SSLVERSION_TLSv1_1 = 35 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure - 6 CURL_SSLVERSION_TLSv1_2 =
35 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure6 CURL_SSLVERSION_TLSv1_2 = 35 error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
I also read somewhere to try this: 我也在某处阅读以尝试此操作:
curl_setopt($ch, CURLOPT_CAINFO, dirname(__FILE__) . '\\cacert.pem');
Where cacert.pem is downloaded from http://curl.haxx.se/docs/caextract.html and placed in the same directory as my script. 从http://curl.haxx.se/docs/caextract.html下载cacert.pem并将其放置在与我的脚本相同的目录中。 This doesn't make any difference. 这没有任何区别。
Is my code correct..? 我的代码正确吗?
How do I make this work..? 我如何做这项工作..?
1 个解决方案
解决方案1
1 已采纳 2016-01-28 13:51:49
I have this working now, here's how: 我现在正在工作,方法如下:
- Verify the certificate 验证证书
- Upgrade to at least PHP 5.6.0 / OpenSSL 1.0.1 至少升级到PHP 5.6.0 / OpenSSL 1.0.1
- Save and reference
cacert.pem保存并引用cacert.pem
1. Verify the certificate 1.验证证书
Use curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); 使用curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true); to verify the certificate. 验证证书。
2. Upgrade to at least PHP 5.6.0 / OpenSSL 1.0.1 2.至少升级到PHP 5.6.0 / OpenSSL 1.0.1
Upgrade to at least PHP 5.6.0 , which seems to bring along with it OpenSSL/1.0.1i . 至少升级到PHP 5.6.0 ,它似乎与OpenSSL / 1.0.1i一起提供。 I think at least OpenSSL version 1.0.1 is required to support TLS 1.2, which PayPal requires. 我认为至少要支持PayPal要求的TLS 1.2,才需要OpenSSL版本1.0.1。
3. Save and reference cacert.pem 3.保存并引用cacert.pem
Save cacert.pem from http://curl.haxx.se/docs/caextract.html locally (in my case to c:\\cert ), then update the PHP ini that you're using to reference cacert.pem as shown here . 从http://curl.haxx.se/docs/caextract.html本地保存cacert.pem (在我的情况下为c:\\cert ),然后更新用于引用cacert.pem的PHP ini, 如下所示 。 Using the ini file saves you having to use curl_setopt($ch, CURLOPT_CAINFO, dirname(__FILE__) . '\\cacert.pem'); 使用ini文件省去了curl_setopt($ch, CURLOPT_CAINFO, dirname(__FILE__) . '\\cacert.pem'); in every call. 在每个通话中。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.