我的PayPal脚本突然停止验证SSL证书 [英] My PayPal script suddenly stopped verifying the SSL certificate

问题描述

所以我的脚本（IPN侦听器，API调用等）工作正常，但突然开始抛出一个错误，无法验证SSL证书。这是我的错误（显示了PHP CURL）

So my script (IPN listeners, API calls, etc) was working fine but suddenly started throwing an error about being unable to verify the SSL certificate. This is my error (PHP CURL shown)

SSL连接错误

SSL connect error

为什么停止工作？

推荐答案

去年， PCIDSS 3.1出来，所有处理信用卡的人都发生了重大变化。具体来说，有一项授权，即所有处理都必须仅在TLS 1.1或更高版本上进行。原始日期为2016年6月30日，但这是推迟至2018年6月30日

Last year, PCI-DSS 3.1 came out and there was a major change for all people processing credit cards. Specifically, there was a mandate that all processing had to be done on TLS 1.1 or later only. The original sunset date was June 30, 2016, but that was postponed to June 30, 2018

支付卡行业安全标准委员会（PCI SSC）将迁移完成日期延长至2018年6月30日，以便从SSL和TLS 1.0到TLS的安全版本（目前为v1.1或更高版本）。

The Payment Card Industry Security Standards Council (PCI SSC) is extending the migration completion date to 30 June 2018 for transitioning from SSL and TLS 1.0 to a secure version of TLS (currently v1.1 or higher).

现在，一些空间呼吸关于你的前端，它仍然意味着移动到TLS 1.1+不是可选的（事实上，我会更早移动，如果我是你），一些中间卡处理将开始更快地比那更快。 PayPal，事实证明，是其中移动其网站

Now, while this reprieve gives you, the programmer, some room to breathe in regards to your front end, it still means that moving to TLS 1.1+ is not optional (in fact I would mover sooner if I were you) and that some intermediate card processing will start moving sooner than that. PayPal, as it turns out, is one of those moving in regards to its websites

TLS 1.2升级

今天在网上分享信息的最安全的协议是传输层安全（TLS）版本1.2。 PayPal支持所有安全连接的TLS 1.2，并在2016年将开始要求其使用。您需要验证您的环境是否支持TLS 1.2，并在必要时进行适当的更新。 PayPal在2016年6月17日将所有HTTPS连接的服务更新为需要TLS v1.2。在此日期之后，所有TLS v1.0和TLS v1.1 API连接都将被拒绝。 p>

TLS 1.2 Upgrade

The most secure protocol for sharing information on the web today is Transport Layer Security (TLS) version 1.2. PayPal is enabling support for TLS 1.2 for all secure connections and in 2016 will start requiring its use. You will need to verify that your environment supports TLS 1.2 and if necessary make appropriate updates. PayPal is updating its services to require TLS v1.2 for all HTTPS connections on June 17, 2016. After that date, all TLS v1.0 and TLS v1.1 API connections will be refused.

现在，理论上，你的旧脚本（如果你不存储PayPal的公钥）应该操作很好，但Sandbox移动到这个）通信已经开始失败。我发现，由于种种原因，一些通信层（特别是CURL在PHP，一个非常常见的方式谈谈PayPal）不能正确地与PayPal谈判。因此，您会得到隐藏的错误

Now, in theory, your old script (provided you're not storing PayPal's public key) should operate just fine but Sandbox (which has already moved to this) communications are already starting to fail. What I've found is that, for a variety of reasons, some communication layers (notably CURL in PHP, a very common way to talk to PayPal) cannot negotiate properly with PayPal anymore. Thus, you get the cryptic error

SSL连接错误

SSL connect error

感谢CURL。这很有帮助... （not）

Thanks CURL. That was helpful... (not)

那么我们如何解决这个问题呢？好吧，如果我们告诉CURL只使用TLS 1.2您的PayPal的呼叫应该开始工作，没有问题。如果你使用的是PHP和CURL，你可以通过添加这样（ $ ch 是你的CURL处理程序）。

So how do we work around this? Well, if we tell CURL to only use TLS 1.2 your calls to PayPal should start working again without issues. If you're using PHP and CURL you can do it by adding this like (where $ch is your CURL handler)

curl_setopt($ch, CURLOPT_SSLVERSION, 6); // Force TLS 1.2

这种更改对于同时使用Sandbox和Live呼叫PayPal是完全安全的。

This change is perfectly safe to use with both Sandbox and Live calls to PayPal.

这篇关于我的PayPal脚本突然停止验证SSL证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！