stripe-php: Setting CURLOPT_SSLVERSION explicitly causes it to fail (curl error 35).

Working on a client’s server today (I develop a self-hosted app that uses the Stripe SDK for payments), Stripe’s SDK failed with the error: Unexpected error communicating with Stripe. If this problem persists, let us know at support@stripe.com. (Network error [errno 35]: Unsupported SSL protocol version)

They contacted Stripe and they were told to run this code, which outputted “TLS 1.2” correctly. So TLS 1.2 is supported properly.

The client was running Stripe 3.20.0 (3.21 only adds the Source stuff so it wouldn’t have changed anything), so this is an issue with the latest code. After digging into it a bit, I figured out that the problem lay with these lines. This server has CURL_SSLVERSION_TLSv1_2 defined (PHP 5.6), and OpenSSL is current enough to pass that if, so the code was running $opts[CURLOPT_SSLVERSION] = CURL_SSLVERSION_TLSv1_2;, which for some reason causes the problem, because changing it to CURL_SSLVERSION_TLSv1 makes the problem go away. Somehow, explicitly requiring 1.2 is a problem while just asking for any TLS is fine. Removing all the lines linked to above (i.e. not setting CURLOPT_SSLVERSION at all) also resolves the problem. It’s also worth noting that PHP’s docs themselves recommend not setting CURLOPT_SSLVERSION at all (http://php.net/manual/en/function.curl-setopt.php “Note: Your best bet is to not set this and let it use the default.”). So it could be that the best thing to do is to just remove it.

This is not a Stripe-specific issue because in the TLS-checking gist linked above, if I add the line curl_setopt($c, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);, it makes it fail. So it’s just something with curl itself on this particular server configuration. But since Stripe does depend on it working correctly, I thought it might be useful to report this, just in case you want to debug and find a workaround for it to make sure others don’t have this problem.

I have FTP access to the server and the client’s permission to work on debugging this issue so I’m happy to look at whatever is needed and provide whatever information is required.

If this issue doesn’t seem worthwhile to you, that’s fine, since it’s not something affecting a lot of people. I just wanted to make sure someone was aware of it, just in case.

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Comments: 27 (15 by maintainers)

Most upvoted comments

Awesome, thank you so much for everything! It really is great seeing a project so well taken care of, and with such a responsive team, that even a small issue like this gets this much attention. I’ll update our app to use this, run our tests, and let you know there are any issues or if any clients report anything.

+1
pocketarc on Oct 4, 2016
Read more comments on GitHub
← stripe-node: Webhook validate signing error: No signature found matching the expected signature for payload. | express
stripe-php: TLS 1.2 not working with v3 but works with v2 →