我的 PayPal 脚本突然停止验证 SSL 证书

2021-12-29 00:00:00 ssl curl php paypal paypal-ipn

所以我的脚本(IPN 侦听器、API 调用等)运行良好,但突然开始抛出关于无法验证 SSL 证书的错误.这是我的错误(显示 PHP CURL)

So my script (IPN listeners, API calls, etc) was working fine but suddenly started throwing an error about being unable to verify the SSL certificate. This is my error (PHP CURL shown)

SSL 连接错误

为什么它停止工作了?

推荐答案

去年,PCI-DSS 3.1 发布,所有处理信用卡的人都发生了重大变化.具体来说,要求所有处理只能在 TLS 1.1 或更高版本上完成.原定的日落日期是 2016 年 6 月 30 日,但 推迟到 6 月 30 日, 2018

Last year, PCI-DSS 3.1 came out and there was a major change for all people processing credit cards. Specifically, there was a mandate that all processing had to be done on TLS 1.1 or later only. The original sunset date was June 30, 2016, but that was postponed to June 30, 2018

支付卡行业安全标准委员会 (PCI SSC) 将迁移完成日期延长至 2018 年 6 月 30 日,以便从 SSL 和 TLS 1.0 过渡到安全版本的 TLS(当前为 v1.1 或更高版本).

The Payment Card Industry Security Standards Council (PCI SSC) is extending the migration completion date to 30 June 2018 for transitioning from SSL and TLS 1.0 to a secure version of TLS (currently v1.1 or higher).

现在,虽然这个缓刑给了你,程序员,一些关于你的前端的喘息的空间,但这仍然意味着转向 TLS 1.1+ 不是可选的(事实上,如果我是你,我会更快地移动)并且一些中间卡处理将比这更早开始.事实证明,PayPal 是其中之一对其网站采取行动

Now, while this reprieve gives you, the programmer, some room to breathe in regards to your front end, it still means that moving to TLS 1.1+ is not optional (in fact I would mover sooner if I were you) and that some intermediate card processing will start moving sooner than that. PayPal, as it turns out, is one of those moving in regards to its websites

当今在网络上共享信息的最安全协议是传输层安全 (TLS) 1.2 版.PayPal 正在为所有安全连接启用对 TLS 1.2 的支持,并将在 2016 年开始要求使用它.您需要验证您的环境是否支持 TLS 1.2,并在必要时进行适当的更新.PayPal 将于 2016 年 6 月 17 日更新其服务,要求所有 HTTPS 连接都使用 TLS v1.2.在该日期之后,所有 TLS v1.0 和 TLS v1.1 API 连接都将被拒绝.>

TLS 1.2 Upgrade

The most secure protocol for sharing information on the web today is Transport Layer Security (TLS) version 1.2. PayPal is enabling support for TLS 1.2 for all secure connections and in 2016 will start requiring its use. You will need to verify that your environment supports TLS 1.2 and if necessary make appropriate updates. PayPal is updating its services to require TLS v1.2 for all HTTPS connections on June 17, 2016. After that date, all TLS v1.0 and TLS v1.1 API connections will be refused.

现在,理论上,您的旧脚本(假设您没有存储 PayPal 的公钥)应该可以正常运行,但是 Sandbox(已经转移到此)通信已经开始失败.我发现,由于各种原因,某些通信层(特别是 PHP 中的 CURL,一种与 PayPal 交谈的非常常见的方式)无法再与 PayPal 正确协商.因此,你得到了神秘的错误

Now, in theory, your old script (provided you're not storing PayPal's public key) should operate just fine but Sandbox (which has already moved to this) communications are already starting to fail. What I've found is that, for a variety of reasons, some communication layers (notably CURL in PHP, a very common way to talk to PayPal) cannot negotiate properly with PayPal anymore. Thus, you get the cryptic error

SSL 连接错误

谢谢卷毛.这很有帮助...(不是)

Thanks CURL. That was helpful... (not)

那么我们如何解决这个问题?好吧,如果我们告诉 CURL 只使用 TLS 1.2,您对 PayPal 的调用应该可以重新开始工作而不会出现问题.如果您使用 PHP 和 CURL,您可以通过添加这样的内容来实现(其中 $ch 是您的 CURL 处理程序)

So how do we work around this? Well, if we tell CURL to only use TLS 1.2 your calls to PayPal should start working again without issues. If you're using PHP and CURL you can do it by adding this like (where $ch is your CURL handler)

curl_setopt($ch, CURLOPT_SSLVERSION, 6); // Force TLS 1.2

此更改对于 PayPal 的沙盒和实时调用都非常安全.

This change is perfectly safe to use with both Sandbox and Live calls to PayPal.

相关文章