Search code examples
curlpaypalpaypal-sandboxtls1.2

PayPal sandbox API SSL error after TLS 1.2 upgrade errno 54

Not sure if this is the best place to ask, but after the TLS 1.2 upgrade PayPal made on June 30, 2017, I'm unable to use their sandbox NVP endpoint: https://api-3t.sandbox.paypal.com/nvp

The live API https://api-3t.paypal.com/nvp works as expected:

~ % curl "https://api-3t.paypal.com/nvp?user=whatever"
ACK=Failure&L_ERRORCODE0=81002&L_SHORTMESSAGE0=Unspecified%20Method&L_LONGMESSAGE0=Method%20Specified%20is%20not%20Supported&L_SEVERITYCODE0=Error

I get a response body from the server.

But if I try the same request with the sandbox I get:

~ % curl "https://api-3t.sandbox.paypal.com/nvp?user=whatever"
curl: (56) OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 54

I've tried several combinations of forcing TLS 1.2 and insecure connections but they don't make a difference. Here's a verbose output:

~ % curl --insecure --tlsv1.2 -v "https://api-3t.sandbox.paypal.com/nvp?user=whatever"
*   Trying 173.0.82.83...
* TCP_NODELAY set
* Connected to api-3t.sandbox.paypal.com (173.0.82.83) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /opt/local/share/curl/curl-ca-bundle.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=California; L=San Jose; O=PayPal, Inc.; OU=PayPal Production; CN=api-3t.sandbox.paypal.com
*  start date: Jan 14 00:00:00 2016 GMT
*  expire date: Jan 14 23:59:59 2018 GMT
*  issuer: C=US; O=Symantec Corporation; OU=Symantec Trust Network; CN=Symantec Class 3 Secure Server CA - G4
*  SSL certificate verify ok.
> GET /nvp?user=whatever HTTP/1.1
> Host: api-3t.sandbox.paypal.com
> User-Agent: curl/7.54.1
> Accept: */*
>
* OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 54
* Closing connection 0
curl: (56) OpenSSL SSL_read: SSL_ERROR_SYSCALL, errno 54

I'm on macOS and have tried upgrading OpenSSL and cURL with MacPorts, I get the same behaviour in php70-curl which is also up to date with OpenSSL 1.0.2l. Also same behaviour after quickly checking on a FreeBSD machine with OpenSSL 1.0.2k:

* SSL read: error:00000000:lib(0):func(0):reason(0), errno 54
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (56) SSL read: error:00000000:lib(0):func(0):reason(0), errno 54

Any help is really appreciated

Solution

  • Fixed by using POST instead of GET as noted in https://www.paypal.com/au/webapps/mpp/merchant-security-roadmap and https://www.paypal.com/au/webapps/mpp/discontinuation-get-method

    Also had to pass my POST data as application/x-www-form-urlencoded