Paypal REST API Sandbox - SSL Connect Error

1
votes

When trying to use my sandbox credentials, the API fails. However, if I use live, it works fine. Not able to run test transactions due to this issue.

[root@host]# curl -v https://api.sandbox.paypal.com/v1/oauth2/token -H "Accept: application/json" -H "Accept-Language: en_US" -u "[removed]:[removed]" -d "grant_type=client_credentials" * About to connect() to api.sandbox.paypal.com port 443 (#0) * Trying 173.0.82.78... connected * Connected to api.sandbox.paypal.com (173.0.82.78) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * NSS error -12286 * Closing connection #0 * SSL connect error curl: (35) SSL connect error

1
curlpaypalpaypal-sandbox
Sorry I bad, did you install a CAfill from paypal? looks like the CAfile is not legal.John Zeng

1 Answers

1
votes

Curl error 35 means that the SSL initial handshake did not even go through because the response returned by Paypal did not appear as valid SSL. This would occur, for example, if you try to connect to port 80, which is not your case. However, you do reach Paypal server. The issue is not the CAfile because you have not reached the state where you verify the signature. The certificate itself is not recognized as valid, if it is received at all. The error NSS 12286 is:

"Cannot communicate securely with peer: no common encryption algorithm(s)."

The local and remote systems share no cipher suites in common. This can be due to a misconfiguration at either end. It can be due to a server being misconfigured to use a non-RSA certificate with the RSA key exchange algorithm.

It says "no common encryption algorithms", but Paypal did not even sent back a selection of cyphers. I just tried your code and it works perfectly fine for me. If the error would have been a missing CA certificate, you would have seen an handshake, saying hello, and then "SSL certificate problem: unable to get local issuer certificate".

If I had more reputation, I would have written a comment only. This question should really be addressed by Paypal's people.