'PPConnectionException' exception is thrown in PayPal adaptive Payment 'Pay' request

Question

I have integrated PayPal adaptive payments in my one of the WordPress plugin. My functionality is fully ready and was working well till yesterday. However, when I started with a final testing, I got stuck with this exception -

PPConnectionException Object ( [url:PPConnectionException:private] => https://svcs.sandbox.paypal.com/AdaptivePayments/Pay [data:PPConnectionException:private] => [message:protected] => error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number 
........) //I am just pasting necessary piece of error to understand the problem

I have used this library - https://github.com/paypal/adaptivepayments-sdk-php

I am testing it under sandbox environment.

The problem seems to have with OpenSSL or cURL.

I searched for the solution a lot but did not find any helpful answer.

I am also pasting a sample code below (this is for 'parallel' payment method, but neither this nor other methods work) -

require_once('../PPBootStrap.php');
require_once('../Common/Constants.php');
define("DEFAULT_SELECT", "- Select -");

if(isset($_POST['receiverEmail'])) {
    $receiver = array();
    /*
     * A receiver's email address 
     */
    for($i=0; $i<count($_POST['receiverEmail']); $i++) {
        $receiver[$i] = new Receiver();
        $receiver[$i]->email = $_POST['receiverEmail'][$i];
        /*
         *      Amount to be credited to the receiver's account 
         */
        $receiver[$i]->amount = $_POST['receiverAmount'][$i];
        /*
         * Set to true to indicate a chained payment; only one receiver can be a primary receiver. Omit this field, or set it to false for simple and parallel payments. 
         */
        $receiver[$i]->primary = $_POST['primaryReceiver'][$i];

    }
    $receiverList = new ReceiverList($receiver);
}

$payRequest = new PayRequest(new RequestEnvelope("en_US"), $_POST['actionType'], $_POST['cancelUrl'], $_POST['currencyCode'], $receiverList, $_POST['returnUrl']);
// Add optional params

if($_POST["memo"] != "") {
    $payRequest->memo = $_POST["memo"];
}

$service = new AdaptivePaymentsService(Configuration::getAcctAndConfig());
try {
    /* wrap API method calls on the service object with a try catch */
    $response = $service->Pay($payRequest);
} catch(Exception $ex) {
    require_once '../Common/Error.php';
     /*******
    ***************************************************
    PLEASE NOTE: the code is breaking here, an exception is thrown
    ***************************************************
    *******/ 
    exit;
}

$_POST data are passed from another file.

I have integrated the above code in my plugin (in WordPress way). In fact, if I run above functionality directly in a separate PHP file, even that does not work. So, its clear that the problem is something else. The problem seem to have with connection with PayPal and my server. I am not getting, all the things were working till yesterday, but suddenly has stopped working. Also, nothing has been updated related to openssl, cURL or PHP on my server.

Any help would be greatly appreciated. Thanks !!!

EDIT:

Changing the openssl version number solves the issue. However, I am still concerned which among version number 1 and 4 is proper and will work in future. Also, is there any security issue concerned when changing the value from 3 to something else? If anyone could clarify this, it would be great. Thanks again.

Answer 1

I had the same problem. Seems as though PayPal made some changes yesterday in response to a security issue. Downloading the new version of PayPal PHP SDK that was just released should fix it

https://github.com/paypal/rest-api-sdk-php/releases/tag/v0.13.1

Answer 2

When I make any of the following change in the PPHttpConfig.php file, it works -

CURLOPT_SSLVERSION => 4

OR

CURLOPT_SSLVERSION => 1

2 doesn't work and 3 throws exception.

I am keeping version number 1 for now as I can see the version number 3 is replaced by 1 in the link shared by @Phil

I have also edited my answer for one more small query. If anyone could answer that, it would be great.

Answer 3

The security issue is the now infamous POODLE attack which makes SSLv3 totally insecure.

From the cURL source , you can see what the values mean ( // comments mine):

enum {  
    CURL_SSLVERSION_DEFAULT, // 0, probably good
    CURL_SSLVERSION_TLSv1,   // 1, works
    CURL_SSLVERSION_SSLv2,   // 2, insecure
    CURL_SSLVERSION_SSLv3,   // 3, insecure

    CURL_SSLVERSION_LAST /* never use, keep last */  // 4
};

Thus 1 means TLSv1 and as the comment says "never use", 1 is probably better than 4, and maybe 0 is better than 1 because it may try to use TLSv1 (or TLSv1.x or whatever comes default in future cURL versions).

However, I haven't tested 0 on multiple systems, and using the "default" SSL / TLS protocol version might mean SSLv3 instead of the latest and greatest and thus could not work, so YMMV.