OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed) while connecting to Paypal

2
votes

I know there are lots of discussion regarding this error but sorry to say that I'm unable to find any working solution over there.

I'm developing a ecommerce site using ShareTribe.I'm trying to implement Paypal as payment gateway.So I'm using Activemerchant.

Everything works fine on development machine but when I deploy my rails app to production It throws

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed)

I'm initializing my Activemerchant as 

 config.after_initialize do
    ActiveMerchant::Billing::Base.mode = :test
    paypal_options = {
        login: "bla bla",
        password: "bla bla",
        signature: "bla bla",
        appid: "APP-80W284485P519543T"
    }
    ::EXPRESS_GATEWAY = ActiveMerchant::Billing::PaypalExpressGateway.new(paypal_options)

  end

Added HTTPS and Disabled SSLV3

After lots of googling I found that

SSLv3 was proven to be insecure with the POODLE vulnerability. You should make sure that your system has the latest version of OpenSSL so that you can use TLSv1.2.

So I disabled SSLV3 as shown below

 openssl s_client -connect kickmarket.eu:443
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=www.kickmarket.eu
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...........................................
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=www.kickmarket.eu
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
---
No client certificate CA names sent
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 2038 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 4D23F4A942AAD4264BE96EB5F1E62204269D882A64ACFBD2D139CD2F10A449A0
    Session-ID-ctx: 
    Master-Key: 1E381DAA3BA90FE3609606716E7E9A2EB2E2F671E9F3C4005D8EBAE009103A7AB771FB2AC8B45F169F43CBD0AD352E06
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
   ..................................

    Start Time: 1446132175
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

But after restarting nginx I got the same problem.Is there Any way to fix this issue. Any suggestion will be appreciated.

2
rubysslpaypalopensslssl-certificate
'Connection refused' has nothing to do with SSL or OpenSSL. It means nothing was listening at the IP:port you tried to connect to, or a firewall (improperly configured to reset instead of ignore unwanted connections) is in the way. In this case all it means is that you haven't configured your server correctly for HTTPS via port 443. Off topic.user207421
@EJP Do I need to buy ssl certificates in order to use TLS?Bibek Sharma
@EJP please have look I updated My postBibek Sharma
Use SNI and TLS 1.0 and above. Also see How to set SSLContext options in Ruby and How to set TLS context options in Ruby (like OpenSSL::SSL::SSL_OP_NO_SSLv2). I've become so frustrated in doing simple Security 101 things in Ruby I no longer use it.jww

2 Answers

2
votes

This is most likely due to the upgrade to SHA256 certification. Please review the following documentation:

https://devblog.paypal.com/paypal-ssl-certificate-changes/

2
votes

The primary cause for this is the rvm installed ruby does look into the wrong directory for certificates whereas the OSX-ruby will look into the correct one.

What you wanna do is NOT TO USE any of the precompiled rubies and rather have ruby compiled on your local machine, like so: 

rvm install 2.2.0 --disable-binary

You can read detailed explanation https://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html