PayPal SSL Error – POODLE Vulnerability

by | Last Updated Nov 22, 2018 | Published on Nov 5, 2014 | Blog, WooCommerce | 2 comments

What is POODLE?

POODLE is an internet security vulnerability that impacts the Secure Sockets Layer (SSL) 3.0 protocol, which was designed to ensure secure connections when browsing the Internet.  When exploited, this vulnerability enables a cyber criminal to gain access to connections considered secure via this widespread (but 15-year-old) security protocol.

How are Service Providers Responding?

PayPal, Facebook, Twitter, Google, Amazon, and pretty much all the service providers out there will be completely disabling SSL 3.0 support with their web service API’s.  Many of these companies have already done so, while others are providing a little bit more time for software developers and solution providers to make the necessary changes. PayPal has already disabled SSLv3 on their sandbox (testing) servers, and as of 1/19/2016 they are now requiring TLS 1.2, which is causing lots of people to run into this problem if they weren’t aware and are not prepared.

Quickest Solution to the PayPal SSL Error Problem?

Contact your web hosting provider and let them know you are getting SSL errors when making HTTP requests because the services you are using require TLS 1.2 due to the POODLE vulnerability.  That should be enough for them to know what’s going on and they can get it fixed for you.

Web Server Software Stack Details

Here’s What You Need!

  • cURL 7.29 or higher
  • OpenSSL 1.0.1 or higher
  • PHP 5.5.19 or higher

As of 01.19.2016 PayPal now supports only TLS 1.2 on the sandbox.

If you want to use TLS 1.2 you’ll need to upgrade to OpenSSL 1.0.1 as a minimum, and then you’ll be able to set CURLOPT_SSLVERSION to 6 (TLS 1.2).  You will also need cURL 7.29+.

If you want TLS 1.2 to be used automatically during SSL requests, you’ll also need to upgrade to PHP 5.5.19+ (this is the ideal solution but many projects are still on older PHP versions).

If you are on a shared hosting environment and the host will not update your server you are going to need to move to a new server with that host (or switch hosts altogether).

PayPal POODLE Reference

Take a look at more details about the changes PayPal is making because of the POODLE vulnerability.

View Details from PayPal

Looking for Live Help?

Schedule a live meeting with Drew Angell, PayPal Certified Developer, and get all of your questions or concerns answered.

Get Premium Support

Featured PayPal Products and Services

2 Comments

  1. Jim
    Jim on July 16, 2016 at 9:49 am

    Please add this to your documentation.

    After spending several hours of investigation I also found that you need the following for this to work.

    You’ll need PHP 5.5.19+ and curl 7.29+

    I found that I had an older version of curl installed (7.22) and needed to be updated before PayPal sandbox worked.

    Before I updated I received the following error in my log file:

    Error response: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

    Reply
    • Andrew Angell
      Andrew Angell on July 16, 2016 at 12:13 pm

      Thanks for the feedback! I have added this information to the doc.

      Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.