Error:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
Solution 1
TL;TR: your software is too old to support these servers.
Both servers support TLS 1.2 only as can be seen when checking with SSLLabs. Your OpenSSL version is 1.0.0s which does not support TLS 1.2 yet. Support is only available since 1.0.1.
my server have these certificates ...
The setup of your web server (i.e. certificates, TLS versions...) are not relevant because in this case you are the client connecting to some other server.
Solution 2
Your server may support TLS 1.2, but you need to make sure the HTTP requests are actually using it. Based on your result you're getting, you apparently are not using TLS 1.2 with the requests.
Try adding this to your cURL options:
curl_setopt($ch, CURLOPT_SSLVERSION, 6);
That will force TLS 1.2.
Alternatively, get your server software stack updated and this will happen automatically. See this post for more details, most importantly this part:
If you want to use TLS 1.2 you’ll need to upgrade to OpenSSL 1.0.1 as a minimum, and then you’ll be able to set CURLOPT_SSLVERSION to 6 (TLS 1.2).
If you want TLS 1.2 to be used automatically during SSL requests, you’ll also need to upgrade to PHP 5.5.19+ (this is the ideal solution but many projects are still on older PHP versions).
Raza Saleem
Updated on November 29, 2020Comments
-
Raza Saleem over 3 years
$ch = curl_init(); $clientId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; $secret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; curl_setopt($ch, CURLOPT_URL, "https://api.sandbox.paypal.com/v1/oauth2/token"); curl_setopt($ch, CURLOPT_HEADER, false); curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,false); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_USERPWD, $clientId.":".$secret); curl_setopt($ch, CURLOPT_POSTFIELDS, "grant_type=client_credentials"); $result = curl_exec($ch); if (curl_errno($ch)) { echo 'Error:' . curl_error($ch); } curl_close ($ch);
this code working on localhost but when i am testing on my live server it will give me this error Error:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure then i tried this
<?php $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "https://tlstest.paypal.com/"); curl_setopt($ch, CURLOPT_CAINFO, dirname(__FILE__) . '/cacert.pem'); var_dump(curl_exec($ch)); if ($err = curl_error($ch)) { var_dump($err); echo "DEBUG INFORMATION:\n###########"; echo "CURL VERSION"; echo json_encode(curl_version(), JSON_PRETTY_PRINT); }?>
github.com/paypal/TLS-update/tree/master/php this will again work on localhost and on live it gives me this
error bool(false) string(67) "Unknown SSL protocol error in connection to tlstest.paypal.com:443 " DEBUG INFORMATION: ###########CURL VERSION
my server have these certificates
Server Key and Certificate #1
Subject *.secure.xxxxxxxx.com Fingerprint SHA1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx Pin SHA256: S4/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Common names *.secure.xxxxxxxx.com MISMATCH Alternative names *.secure.xxxxxxx.com Key RSA 2048 bits (e 65537) Weak key (Debian) No Issuer Symantec Class 3 Secure Server CA - G4 AIA: xxxxxxx/ss.crt Signature algorithm SHA256withRSA Extended Validation No Certificate Transparency Yes (certificate) OCSP Must Staple No Revocation information CRL, OCSP CRL: xxxxxx/ss.crl OCSP: xxxxxxxxx Revocation status Good (not revoked) Trusted No NOT TRUSTED (Why?)
#2
Subject Symantec Class 3 Secure Server CA - G4 Fingerprint SHA1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Pin SHA256: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Key RSA 2048 bits (e 65537) Issuer VeriSign Class 3 Public Primary Certification Authority - G5 Signature algorithm SHA256withRSA
#3
Subject VeriSign Class 3 Public Primary Certification Authority - G5 Fingerprint SHA1: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Pin SHA256: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Key RSA 2048 bits (e 65537) Issuer VeriSign, Inc. / Class 3 Public Primary Certification Authority Signature algorithm SHA1withRSA WEAK **Protocols** TLS 1.2 Yes TLS 1.1 Yes TLS 1.0 Yes SSL 3 No SSL 2 No
checked requirements at