http://bugzilla.opensuse.org/show_bug.cgi?id=977223 http://bugzilla.opensuse.org/show_bug.cgi?id=977223#c3 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID |--- --- Comment #3 from Christian Boltz <suse-beta@cboltz.de> --- Hmm, I'm afraid my test code doesn't match exactly what magento does - and you are right that using CURLOPT_SSLVERSION => 6 fixes it. So at least my test code is invalid ;-) - thanks for pointing this out!
From what I found, the "unable to get local issuer certificate" error means the root certificate can't be found/validated. That shouldn't be related to the SSL version IMHO.
After digging deeper in the magento code, it seems the connection goes to https://api.paypal.com, and this gives me an interesting result even with the curl commandline client: on Leap (with all updates installed): # curl -v https://api.paypal.com * Rebuilt URL to: https://api.paypal.com/ * Hostname was NOT found in DNS cache * Trying 173.0.84.66... * Connected to api.paypal.com (173.0.84.66) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs/ * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. (Bingo! Now I have the "correct" error message ;-) OTOH, on Tumbleweed I get: # curl -v https://api.paypal.com * Rebuilt URL to: https://api.paypal.com/ * Trying 173.0.84.98... * Connected to api.paypal.com (173.0.84.98) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Request CERT (13): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / AES256-SHA256 * ALPN, server did not agree to a protocol * Server certificate: * subject: C=US; ST=California; L=San Jose; O=PayPal, Inc.; OU=PayPal Production 12312016; CN=api.paypal.com * start date: Oct 22 00:00:00 2015 GMT * expire date: Dec 13 23:59:59 2016 GMT * subjectAltName: host "api.paypal.com" matched cert's "api.paypal.com" * issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)10; CN=VeriSign Class 3 Secure Server CA - G3 * SSL certificate verify ok.
GET / HTTP/1.1 Host: api.paypal.com User-Agent: curl/7.48.0 Accept: */*
To add some more fun: (on Leap again) # zypper in --oldpackage ca-certificates-mozilla-2.2-5.2 # curl -v https://api.paypal.com * Rebuilt URL to: https://api.paypal.com/ * Hostname was NOT found in DNS cache * Trying 173.0.88.98... * Connected to api.paypal.com (173.0.88.98) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs/ * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Request CERT (13): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using TLSv1.2 / AES256-SHA256 * Server certificate: * subject: C=US; ST=California; L=San Jose; O=PayPal, Inc.; OU=PayPal Production 12312016; CN=api.paypal.com * start date: 2015-10-22 00:00:00 GMT * expire date: 2016-12-13 23:59:59 GMT * subjectAltName: api.paypal.com matched * issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use at https://www.verisign.com/rpa (c)10; CN=VeriSign Class 3 Secure Server CA - G3 * SSL certificate verify ok.
GET / HTTP/1.1 User-Agent: curl/7.37.0 Host: api.paypal.com Accept: */*
So this is clearly caused by the updated ca-certificates-mozilla package. Any ideas why it breaks? (BTW: for even more fun - api.sandbox.paypal.com uses a different certificate issuer and doesn't break with the new ca-certificate-mozilla package.) -- You are receiving this mail because: You are on the CC list for the bug.