We have online shopping site. When I am going to checkout page i am getting a error like this "error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure(35)"
From the apache error log i can see some attempts to connect to api.paypal.com. Here is the part of my apache error log
* About to connect() to api.paypal.com port 443 (#0)
* Trying 66.211.168.123... * connected
* Connected to api.paypal.com (66.211.168.123) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
* Closing connection #0
When i tried to connect to api.paypal.com using curl i am getting a error like this
curl -iv https://api.paypal.com/
* About to connect() to api.paypal.com port 443 (#0)
* Trying 66.211.168.91... connected
* Connected to api.paypal.com (66.211.168.91) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS alert, Server hello (2):
* error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
* Closing connection #0
curl: (35) error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
Best Answer
openssl s_client
does a better job of explaining what's going on here since it gives whether it's receiving or sending these messages. api.paypal.com is requesting a specific client certificate (this is the* SSLv3, TLS handshake, Request CERT (13)
line curl is printing) and you're sending the wrong (or no) certificate, so your connection fails:Googling for paypal api info, it appears that you'll need to request a client certificate for the API. They also have a username/password "signature" option, but this option uses a completely different server. If you have these, then configuring your cart software to use them is an issue to take up with the cart developer. If you are the developer and you have a certificate, see the --cert, --cert-type, --key, and --key-type flags to
curl
to configure the cert and private key curl uses.