Change the SSL Version of curl in PHP to NSS/3.21 Basic ECC

[WebHostPro]

I have a customer that needs to update their Curl protocol for their merchant account.

They have to change the SSL Version of the curl in PHP to NSS/3.21 Basic ECC.

This doesn't happen to have a /scripts updater or can be done in Easyapache does it?

 

[twhiting9275]

Hello,
If you're using cPanel, you're using Redhat/CentOS . This software is maintained by the package distribution system, so you should be able to just run the following

yum -y update

to update curl itself

Once you do that, re-run easyapache and the rest should be good.

If it doesn't show that specific version, the vendor may be after a bit more than can be done. In most cases like this, you can simply tell them that you're using redhat and the version is up to date. Just make sure that it actually is first

 

[WebHostPro]

Thanks, I really hoping someone might have some insight. I tired and am waiting for the customer to see if it worked.

 

[WebHostPro]

Oh darn, they said it didn't work. The error goes like this from Paypal:

Making new connection to 'api-3t.sandbox.paypal.com/nvp'
Connect with CURL method successful
<b>Sending this params:</b>
METHOD=SetExpressCheckout&VERSION=124&PWD=HYAS7FB9Q6BB6JEF&USER=someusername_api1.gmail.com&SIGNATURE=An5ns1Kso7MWUdW4ErQKJJJ4qi4-AchMnpzWLS7qKAj70oo.XFuJ2XIR&CANCELURL=https%3A%2F%2Fwww.example.com%2Fen%2Fquick-order%3Fpaypal_ec_canceled%3D1%26&RETURNURL=https%3A%2F%2Fwww.example.com%2Fmodules%2Fpaypal%2Fexpress_checkout%2Fpayment.php&NOSHIPPING=0&BUTTONSOURCE=PSAPAC_PRESTASHOP_EC&L_PAYMENTREQUEST_0_NUMBER0=28&L_PAYMENTREQUEST_0_NAME0=Chu%21+1&L_PAYMENTREQUEST_0_DESC0=keywordds...&L_PAYMENTREQUEST_0_AMT0=2.02&L_PAYMENTREQUEST_0_QTY0=1&L_PAYMENTREQUEST_0_NUMBER1=361&L_PAYMENTREQUEST_0_NAME1=keywords+&L_PAYMENTREQUEST_0_DESC1=keywords...&L_PAYMENTREQUEST_0_AMT1=32.37&L_PAYMENTREQUEST_0_QTY1=1&PAYMENTREQUEST_0_PAYMENTACTION=Sale&PAYMENTREQUEST_0_CURRENCYCODE=EUR&PAYMENTREQUEST_0_SHIPPINGAMT=13.59&PAYMENTREQUEST_0_ITEMAMT=34.39&PAYMENTREQUEST_0_AMT=47.98&ADDROVERRIDE=0&EMAIL=example&PAYMENTREQUEST_0_SHIPTONAME=example&PAYMENTREQUEST_0_SHIPTOPHONENUM=065208618&PAYMENTREQUEST_0_SHIPTOSTREET=19+rue+du+gout&PAYMENTREQUEST_0_SHIPTOSTREET2=&PAYMENTREQUEST_0_SHIPTOCITY=Angers&PAYMENTREQUEST_0_SHIPTOSTATE=AK&PAYMENTREQUEST_0_SHIPTOCOUNTRYCODE=US&PAYMENTREQUEST_0_SHIPTOZIP=49100&SOLUTIONTYPE=Sole&LANDINGPAGE=Login&USER=example.gmail.com&PWD=xxxx&SIGNATURE=xxxx-xxxx
Send with CURL method failed ! Error: Unsupported SSL protocol version
Connect failed with fsockopen method

 

[twhiting9275]

Howdy,
It looks like it's not the curl version, but the protocol that needs to be updated

WHMCS posted a blog about this happening a few months back.
WHMCS Public Service Annoucement PCI v3.1 | WHMCS

See this doc on changing protocol and ciphers
Confluence Mobile - cPanel Documentation

All SSL options should be disabled. You want at mInimum tls v1.1

 

[WebHostPro]

That would be great, I changed everything to the recommended PCI protocol CPanel gives but we still have the issue. I read both pages but neither say the correct cipher.

Does anyone happen to know what the exact SSL Cipher is? We use this one now.

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

 

[twhiting9275]

The defaults should work:

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

 

[WebHostPro]

Nope, still at square one. None of this helped but thanks for trying! You would think, something that is mandatory now would have an easy way to do it. I guess it's just too hard for the coders.

Just wish CPanel would somehow be able to update itself when important new things come about.

 

[twhiting9275]

What OS / Version are you using? I have yet to have any problems with those settings

 

[WebHostPro]

Centos6, Latest Cpanel, easy Apache, All standard stuff.

 

[twhiting9275]

There should be no reason you're failing that test then, unless the script itself is out of date.

 

[cPanelMichael]

Hello,

cURL is provided by your operating system (e.g. CentOS/RHEL), however there is a feature request for what you are seeking at:

Update to latest curl

The following thread offers instructions on how to manually compile your own version of cURL when using EasyApache 3:

cURL with AsynchDNS

Thank you.