Error 0x1408F10B: “SSL3_GET_RECORD:wrong version number” with PayPal SDK

Question

Looks like PayPal might have updated its systems in light of the POODLE attack, causing sites using the PHP PayPal SDK to break.

I get the error:

Answer 1

PayPal have officially released an update to the PHP SDK to address this issue, which was posted in the Github PR Jaffer linked to

https://github.com/paypal/rest-api-sdk-php/releases/tag/v0.13.1

Answer 2

UPDATE: As Jaffer noted, PayPal's GitHub repository has already merged the changes below, so you might just update your SDK.

At least this seems to work for now, though I will have to investigate what protocol it will actually use.

\PayPal\Core\PPHttpConfig::$DEFAULT_CURL_OPTS[CURLOPT_SSLVERSION] = 1;
// 0 = default protocol (likely TLSv1), 1 = TLSv1; unsafe: 2 = SSLv2, 3 = SSLv3

For other people using cURL directly, just use

curl_setopt($handle, CURLOPT_SSLVERSION, 1);

UPDATE:
Just looked up the source to cURL, these are the values (// comments mine):

enum {  
    CURL_SSLVERSION_DEFAULT, // 0
    CURL_SSLVERSION_TLSv1,   // 1
    CURL_SSLVERSION_SSLv2,   // 2
    CURL_SSLVERSION_SSLv3,   // 3

    CURL_SSLVERSION_LAST /* never use, keep last */  // 4
};

So to summarize, yes, 1 is TLSv1 and judging from the comment, is probably better than 4.
Updated code above.

Answer 3

For people who are using https://github.com/Quixotix/PHP-PayPal-IPN, just set false to force_ssl_v3:

$listener = new IpnListener();
$listener->force_ssl_v3 = false;