Resolved Error! errno = 35, msg = SSL version range is not valid.

[Staniel]

Hello,

I am having some issues trying to connect to the Stripe Payments API using WHMCS I am getting the following error message in the logs "(Network error [errno 35]: SSL version range is not valid.)" I have ran a script to get the TLS version and the following is coming back:

OS: Linux
uname: Linux ocelot.xxxxxxxxxxx.co.uk 3.10.0-862.14.4.el7.x86_64 #1 SMP Wed Sep 26 15:12:11 UTC 2018 x86_64
PHP version: 7.2.11
curl version: 7.62.0
SSL version: NSS/3.36
SSL version number: 0
OPENSSL_VERSION_NUMBER: 1000105f
TLS test (default): TLS 1.2
TLS test (TLS_v1): TLS 1.0
TLS test (TLS_v1_2): Error! errno = 35, msg = SSL version range is not valid.

I have tried to force a TLS v1.2 connection from a SSH session and I have got the following returned:

[root@ocelot ~]# curl --tlsv1.2 -v https://api.stripe.com
* Trying 54.149.153.72...
* TCP_NODELAY set
* Connected to api.stripe.com (54.149.153.72) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -12168 (SSL_ERROR_INVALID_VERSION_RANGE)
* SSL version range is not valid.
* Closing connection 0
curl: (35) SSL version range is not valid.

I am struggling to work out what is causing this issue, does anyone have some pointers that I can go look at? I have attached aPDF of the phpinfo for the server as well.

Many thanks

Stan

 

[Loshmi]

I have the same problem, PayPal not working on WooCommerce with the same error curl(35): Sll version range not valid. Help?

[root@www ~]# openssl version
OpenSSL 1.0.2p 14 Aug 2018
[root@www ~]# curl --tlsv1.2 -v https://api.stripe.com
* Trying 54.187.208.163...
* TCP_NODELAY set
* Connected to api.stripe.com (54.187.208.163) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -12168 (SSL_ERROR_INVALID_VERSION_RANGE)
* SSL version range is not valid.
* Closing connection 0
curl: (35) SSL version range is not valid.

 

[hsojhsoj]

I am trying to resolve a similar issue. Could you please tell me the results of running a report here SSL Server Test (Powered by Qualys SSL Labs)
?

I am particularly interested in the tls versions your certificate is compatible with.

 

[trialotto]

@Staniel, @Loshmi, @hsojhsoj

A solution from Stripe:

The recommended course of action is to upgrade your cURL and OpenSSL packages so that TLS 1.2 is used by default, but if that is not possible, you might be able to solve the issue by setting the CURLOPT_SSLVERSION option to either CURL_SSLVERSION_TLSv1 or CURL_SSLVERSION_TLSv1_2:


$curl = new \Stripe\HttpClient\CurlClient([CURLOPT_SSLVERSION => CURL_SSLVERSION_TLSv1]);
\Stripe\ApiRequestor::setHttpClient($curl);

Additional links:

- Github
- Stripe blog
- Stripe upgrade integration

As you can see by now, this topic thread is NOT Plesk related and/or some easy fixes and instructions are available elsewhere.

Hope the above helps a bit.

Regards!

 

[Loshmi]

@Staniel, @Loshmi, @hsojhsoj

A solution from Stripe:

The recommended course of action is to upgrade your cURL and OpenSSL packages so that TLS 1.2 is used by default, but if that is not possible, you might be able to solve the issue by setting the CURLOPT_SSLVERSION option to either CURL_SSLVERSION_TLSv1 or CURL_SSLVERSION_TLSv1_2:


$curl = new \Stripe\HttpClient\CurlClient([CURLOPT_SSLVERSION => CURL_SSLVERSION_TLSv1]);
\Stripe\ApiRequestor::setHttpClient($curl);

Additional links:

- Github
- Stripe blog
- Stripe upgrade integration

As you can see by now, this topic thread is NOT Plesk related and/or some easy fixes and instructions are available elsewhere.

Hope the above helps a bit.

Regards!

Thank you for the reply, i reinstalled all the Curl* LibCurl packages and it started working, but still got the Curl 35 error on PayPal.

 

[trialotto]

Thank you for the reply, i reinstalled all the Curl* LibCurl packages and it started working, but still got the Curl 35 error on PayPal.

@Loshmi

From the back of my head, PayPal requires communication over the TLS1.2 protocol, so you could re-arrange and test code with the following settings:

curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);

or something similar.

Regards.........

 

[Loshmi]

@trialotto thank you for the info. When I use curl from the shell with tls v1.2 option, it works just find but with php it gives me the same error :/

I run this tls test script (tls_test.php) and got the results:

OS: Linux
uname: Linux domainname.ltd 4.9.33-mod-std-ipv6-64 #1 SMP Tue Jun 20 11:36:21 CEST 2017 x86_64
PHP version: 7.2.10
curl version: 7.62.0
SSL version: NSS/3.36
SSL version number: 0
OPENSSL_VERSION_NUMBER: 1000105f
TLS test (default): TLS 1.2
TLS test (TLS_v1): TLS 1.0
TLS test (TLS_v1_2): Error! errno = 35, msg = SSL version range is not valid.

 

[trialotto]

@Loshmi,

To be honest, it still is not a topic related to Plesk and, therefore, it should also not be a topic for this forum.

Nevertheless, I can tell you that a error code 35 often is associated with the destination not liking the protocol or cipher: this happened when connecting to Stripe/PayPal and it can be safely assumed that your tls_test.php script is using a destination URL that triggers the error.

In short, do not worry, as long as curl from shell works fine, then your PHP scripts for Stripe and/or PayPal should work fine if they are adjusted to use the proper TLS version.

Regards..........

 

[itmnetcom]

If you fixed the issue, this should not show:

TLS test (TLS_v1_2): Error! errno = 35, msg = SSL version range is not valid.

Remember to restart, httpd, nginx and the php-fpm version you are running. If this still happens, try downgrading curl and libcurl - these are ther culprits that started this mess in the latter part of 2018.

Good luck!