I've been dealing with web service API's for years now using PHP and cURL for HTTP requests. I've never had to think about too much when it comes to that until now with this POODLE vulnerability
that has come to light recently, and now everybody (ie. web service providers) is officially disabling SSLv3 on their servers, which wound up causing some of my PHP products that are communicating with these services to fail.
I first noticed the problem when PayPal disabled SSLv3 on their sandbox servers, so all of my API calls were resulting in a curl_error() getting returned:
3 alert handshake failure"
All of the research I found says to use TLS instead of SSL, and I was instructed by many different guides (including PayPal's) to set my cURL options to use TLSv1. As such, I updated my PHP solutions so that cURL is setup with these options.
curl_setopt($curl, CURLOPT_VERBOSE, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($curl, CURLOPT_SSL_CIPHER_LIST, 'TLSv1');
curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
curl_setopt($curl, CURLOPT_TIMEOUT, 30);
curl_setopt($curl, CURLOPT_URL, $this->EndPointURL);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $Request);
This worked for me on my server, so I pushed an update to my tools, and lots of clients began updating their websites. Unfortunately, the fix doesn't seem to be working for everybody, and I can't get a handle on it.
I came across this thread
which explains that TLS didn't work in cURL until version 7.36.0. I am indeed running 7.36.0 on my server, and I did have some people on previous versions get in touch with me about the fact that the update was not working for them.
I've been telling people that they need to have at least 7.36.0 of cURL, but now that's not always working. I just now had somebody on 7.38.0 that was getting this error with the TLS options included in the cURL setup: "Unknown cipher in list: TLSv1"
I simply removed the new TLS options I had added in cURL, and now it's working fine from his server.
So at this point I'm extremely confused and I have no idea what I'm supposed to do to get this working for everybody regardless of what version of cURL they're running. I've seen a wide range of cURL versions in the short period of time I've been trying to deal with this.
Any information on this would be greatly appreciated. Thanks!