Centos 5.11 OpenSSL TLS 1.2 for Paypal
Solution 1
Doh, Thank you Hakan, so simple.
ldd /usr/local/bin/curl showed the new curl to not be linked to the new OpenSSL (ran out out of scroll buffer to copy here).
I re ran the configure, make and make install of curl:
ldd /usr/local/bin/curl
linux-gate.so.1 => (0xb77be000)
libcurl.so.4 => /usr/local/lib/libcurl.so.4 (0xb7764000)
libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0xb76fe000)
libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0xb7560000)
libz.so.1 => /lib/libz.so.1 (0xb754d000)
librt.so.1 => /lib/librt.so.1 (0xb7543000)
libc.so.6 => /lib/libc.so.6 (0xb73e7000)
libidn.so.11 => /usr/lib/libidn.so.11 (0xb73b6000)
libdl.so.2 => /lib/libdl.so.2 (0xb73b1000)
libpthread.so.0 => /lib/libpthread.so.0 (0xb7397000)
/lib/ld-linux.so.2 (0xb77bf000)
and it now works:
/usr/local/bin/curl https://tlstest.paypal.com
PayPal_Connection_OK
Thank you!
Solution 2
For anyone that has CentOS 5 EOL issues connecting to APIs with newer SSL like TLS 1.2:
I was able to get nginx running as a tunnel proxy in a matter of 30 minutes using this method. It doesn't matter how you connect to your VPS (I do over HTTP) and it supports all SSL cipher suites on the API end.
Here's my nginx default server:
server {
listen 80 default_server config;
listen [::]:80 default_server;
access_log off;
proxy_pass https://someAPIdomain.com;
}
That's it! Remember to restart the nginx service after changing the config. You can, of course, add additional parameters to only allow your CentOS server's IP, change the listening port, and other security/obfuscation measures if you want to.
Related videos on Youtube
Kevin W
Updated on September 18, 2022Comments
-
Kevin W almost 2 years
I run a website on a server running Centos 5.11 - EOL now I know but an upgrade is not possible for a while. The website runs the Sellerdeck software which integrates with Paypal for payments.
In the next month or so Paypal will require me to be using TLS 1.2 [1] for connections to them, which is not supported by the default OpenSSL version installed in 5.11 (0.9.8b).
I have followed instructions [2] to install a second version of OpenSSL, and a second version of Curl linked to that new version of OpenSSL, which will support TLS 1.2, but it still doesn't pass the Paypal Test.
Centos 5.11 with OpenSSL 1.0.2k in /usr/local/:
/usr/local/bin/curl https://tlstest.paypal.com curl: (35) Unknown SSL protocol error in connection to tlstest.paypal.com:443
Centos 6.9 with OpenSSL 1.0.1e-fips
curl https://tlstest.paypal.com PayPal_Connection_OK
Can anyone help point me in the right direrction as to why the connection is not working with the updated OpenSSL?
Thanks very much
Kevin
Verbose non-working output:
/usr/local/bin/curl -Ivvv https://tlstest.paypal.com * Rebuilt URL to: https://tlstest.paypal.com/ * Trying 23.67.159.210... * Connected to tlstest.paypal.com (23.67.159.210) port 443 (#0) * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * TLSv1.0, TLS handshake, Client hello (1): * Unknown SSL protocol error in connection to tlstest.paypal.com:443 * Closing connection 0 curl: (35) Unknown SSL protocol error in connection to tlstest.paypal.com:443
Verbose working output:
curl -Ivvv https://tlstest.paypal.com * About to connect() to tlstest.paypal.com port 443 (#0) * Trying 23.214.50.150... connected * Connected to tlstest.paypal.com (23.214.50.150) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: * subject: CN=tlstest.paypal.com,OU=CDN Support,O="PayPal, Inc.",STREET=2211 N 1st St,L=San Jose,ST=California,postalCode=95131-2021,C=US,serialNumber=3014267,businessCategory=Private Organization,incorporationState=Delaware,incorporationCountry=US * start date: Nov 06 00:00:00 2015 GMT * expire date: Oct 26 23:59:59 2017 GMT * common name: tlstest.paypal.com * issuer: CN=Symantec Class 3 EV SSL CA - G3,OU=Symantec Trust Network,O=Symantec Corporation,C=US > HEAD / HTTP/1.1 > User-Agent: curl/7.19.7 (i386-redhat-linux-gnu) libcurl/7.19.7 NSS/3.27.1 zlib/1.2.3 libidn/1.18 libssh2/1.4.2 > Host: tlstest.paypal.com > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < Content-Type: text/html Content-Type: text/html < Content-Length: 20 Content-Length: 20 < Date: Sat, 06 May 2017 12:58:47 GMT Date: Sat, 06 May 2017 12:58:47 GMT < Connection: keep-alive Connection: keep-alive < * Connection #0 to host tlstest.paypal.com left intact * Closing connection #0