Christian Boltz changed bug 977223
What Removed Added
Status RESOLVED REOPENED
Resolution INVALID ---

Comment # 3 on bug 977223 from 
Hmm, I'm afraid my test code doesn't match exactly what magento does - and you
are right that using CURLOPT_SSLVERSION => 6 fixes it. So at least my test code
is invalid ;-)  - thanks for pointing this out!


>From what I found, the "unable to get local issuer certificate" error means the
root certificate can't be found/validated. That shouldn't be related to the SSL
version IMHO.

After digging deeper in the magento code, it seems the connection goes to
https://api.paypal.com, and this gives me an interesting result even with the
curl commandline client:


on Leap (with all updates installed):

# curl -v https://api.paypal.com
* Rebuilt URL to: https://api.paypal.com/
* Hostname was NOT found in DNS cache
*   Trying 173.0.84.66...
* Connected to api.paypal.com (173.0.84.66) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.


(Bingo! Now I have the "correct" error message ;-)


OTOH, on Tumbleweed I get:

# curl -v https://api.paypal.com
* Rebuilt URL to: https://api.paypal.com/
*   Trying 173.0.84.98...
* Connected to api.paypal.com (173.0.84.98) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; ST=California; L=San Jose; O=PayPal, Inc.; OU=PayPal
Production 12312016; CN=api.paypal.com
*  start date: Oct 22 00:00:00 2015 GMT
*  expire date: Dec 13 23:59:59 2016 GMT
*  subjectAltName: host "api.paypal.com" matched cert's "api.paypal.com"
*  issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of use
at https://www.verisign.com/rpa (c)10; CN=VeriSign Class 3 Secure Server CA -
G3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: api.paypal.com
> User-Agent: curl/7.48.0
> Accept: */*
> 


To add some more fun:

(on Leap again)
# zypper in --oldpackage ca-certificates-mozilla-2.2-5.2

# curl -v https://api.paypal.com
* Rebuilt URL to: https://api.paypal.com/
* Hostname was NOT found in DNS cache
*   Trying 173.0.88.98...
* Connected to api.paypal.com (173.0.88.98) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs/
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES256-SHA256
* Server certificate:
*        subject: C=US; ST=California; L=San Jose; O=PayPal, Inc.; OU=PayPal
Production 12312016; CN=api.paypal.com
*        start date: 2015-10-22 00:00:00 GMT
*        expire date: 2016-12-13 23:59:59 GMT
*        subjectAltName: api.paypal.com matched
*        issuer: C=US; O=VeriSign, Inc.; OU=VeriSign Trust Network; OU=Terms of
use at https://www.verisign.com/rpa (c)10; CN=VeriSign Class 3 Secure Server CA
- G3
*        SSL certificate verify ok.
> GET / HTTP/1.1
> User-Agent: curl/7.37.0
> Host: api.paypal.com
> Accept: */*
> 


So this is clearly caused by the updated ca-certificates-mozilla package.

Any ideas why it breaks?


(BTW: for even more fun - api.sandbox.paypal.com uses a different certificate
issuer and doesn't break with the new ca-certificate-mozilla package.)

You are receiving this mail because: