PayPal Error (35) error:1408F10B SSL3_GET_RECORD:wrong version number

[DrByte]

PP tech support told me it's only a 24 hr reprieve

That wouldn't surprise me.

[bumba000]

thank you

[wilt]

I've done some quick and dirty testing using wireshark to analyze the ssl handshake.

the results seem to suggest that these 3 scenarios are all similar
eg
Using
curl_setopt($ch, CURLOPT_SSLVERSION, 1);
curl_setopt($ch, CURLOPT_SSLVERSION, 4);
or in fact removing the curl_setopt($ch, CURLOPT_SSLVERSION, n); line completely
will force version negotiation and curl will then use TLS

It should be noted that php documentation is pretty poor on this. Suggesting that only 2 and 3 are valid options for CURLOPT_SSLVERSION but that given no version php will negotiate for the most recent version e.g. tls v1.2

As has been noted, paypal seems to have re added ssl v3 to their main live endpoint, while their sandbox is blocking ssl v3.
This maybe because they gave no notice, and have had mega complaints. It's still likely they will turn off ssl v3 on the live endpoints soon.

At this point, the advice DrByte posted in the release announcements should still be followed:
http://www.zen-cart.com/showthread.p...yment-security

We will of course update that based on any further information.

[DrByte]

To add a point of clarity, for those technically-minded, here are currently-valid SSL/TLS versions, listed from most-secure to least-secure:

Best to worst:
TLS 1.2 (best choice today)
TLS 1.1
TLS 1.0
SSL 3.0 (has the POODLE vulnerability)
SSL 2.0 (generally not recommended, and typically not even available in modern webservers)
SSL 1 (obsolete, no longer offered)

So, what wilt and I have been investigating is the net impact against performance based on the code changes I've been posting about.

And, so reading between the lines from wilt's post above, what we're seeing is that if one sets CURLOPT_SSLVERSION to 2 or 3, it will try SSL 2.0 or SSL 3.0, respectively, but if one comments-out the CURLOPT_SSLVERSION then the best TLS (or SSL if no TLS versions can be negotiated) will be selected.

(Admittedly we've also confirmed that setting CURLOPT_SSLVERSION to 1 does cause it to jump to autonegotiating a TLS version, but we'd like to do more research before recommending a specific value, since specifying a value like 5 or higher actually causes errors.)

Hope that helps answer questions for those who are curious.

[DrByte]

Further, PayPal has posted today that they will (shortly) fully remove SSLv3 support from their servers ... so commenting-out the CURLOPT_SSLVERSION will be necessary ASAP.

Ref: https://www.paypal-community.com/t5/...LE/ba-p/891829

[wilt]

We have also turned off SSl v3 support to the forum. This really shouldn't affect your experience in the forum, as content is negotiated via your browser.

[WiccanWitch420]

I also use paypal payments standard. I just tested my site, and made a purchase with paypal and made a purchase with authorize.net credit card, and everything is working fine. Do you know why I would not be affected? Is it because I am using website payments standard?

What fix should people with paypal payments standard do? And we should do it even though there is no error??

[DrByte]

I also use paypal payments standard. I just tested my site, and made a purchase with paypal and made a purchase with authorize.net credit card, and everything is working fine. Do you know why I would not be affected? Is it because I am using website payments standard?

What fix should people with paypal payments standard do? And we should do it even though there is no error??

Yes, make the change anyway. PayPal will be re-imposing the change they backed-out earlier today.

[WiccanWitch420]

Yes, make the change anyway. PayPal will be re-imposing the change they backed-out earlier today.

But earlier today when everyone's site was not working with it, mine was. So i just want to clarify that since I only use website payments standard, that i need to do it, because i dont think it affects me. And if i need to do something , what do i need to do for the web standard?

[DrByte]

While Zen Cart's implementation of PayPal Standard is not directly affected by this, I strongly believe you SHOULD STILL APPLY THE CHANGE, as it helps keep your site future-proofed and therefore more secure.