Update: This is no longer an issue in CentOS 6.8. According to the CentOS 6.8 changelog, “various applications now support TLS 1.2, i.e. OpenLDAP, yum, stunnel, vsftpd, git, postfix and others. Also TLS 1.2 has been enabled by default in various packages”
At the moment there is a common issue/problem that keeps cropping up in both work and on sites like stack overflow and stack exchange. It is an SSL connect error, even though all the urls and credentials can seem all correct and your connection to the live Paypal api seems to be fine and without issue. The issue currently only exists for the Paypal sandbox and this is due to an SSL update by PayPal, they have rolled the change out to sandbox and are due to roll the change out to production in June 2017 (This has recently been changed from October 2016)
The message everyone is getting for Paypal sandbox in Magento is
On the front end/checkout you would see “Unable to communicate with the PayPal gateway”
Within the exception logs it would be a little more specific
PayPal NVP CURL connection error #35: SSL connect error
The root cause of the issue is the Transport Layer Security (TLS) version. Originally PayPal supported TLS 1.0 however due to security vulnerabilities like heart bleed they have made the decision to move away from TLS 1.0 and are making it mandatory to use TLS 1.2.
Libcurl versions prior to 7.34.0 do not support TLS 1.2 and versions of 7.34.0. Now comes the tricky part, there is no supported version of libcurl 7.34.0 for CentOS one of the most popular hosting operating systems, the current supported version is 7.29.0.
There is something you can do in the meantime for local development environments (eg In a local vagrant box) below are the steps to do this;
I must stress, do not do this on a live/production server, if you do there is a chance your hosting provider will no longer provide support to you and your server
- Create a new repo file in the yum repos directory
sudo touch /etc/yum.repos.d/city-fan.repo
- Paste the following into it by using nano or vim.
[CityFan] name=City Fan Repo baseurl=http://www.city-fan.org/ftp/contrib/yum-repo/rhel$releasever/$basearch/ enabled=1 gpgcheck=0
- Save the file
- After that you need to run a yum clean and an install (Don’t forget to restart apache when you’re done too or php-fpm if you have it)
yum clean all yum install curl
After that you can test your libcurl version with the following
curl -V
You should see something like this
You can then also test your curl connection to PayPal
curl -v -s https://api-3t.sandbox.paypal.com/nvp
curl -v -s https://api.paypal.com/nvp
You should receive a message saying HTTP/1.1 200 OK for both sandbox and production