FS#38429 - [curl] SSL error with paypal.com since 7.34.0
Attached to Project:
Arch Linux
Opened by Dark (Dark) - Thursday, 09 January 2014, 06:30 GMT
Last edited by Dave Reisner (falconindy) - Wednesday, 29 January 2014, 14:17 GMT
Opened by Dark (Dark) - Thursday, 09 January 2014, 06:30 GMT
Last edited by Dave Reisner (falconindy) - Wednesday, 29 January 2014, 14:17 GMT
|
Details
There appears to be a regression in curl 7.34.x compared to
the previous 7.33.x packages.
Reproduce as follows: # curl -3 'https://www.paypal.com/cgi-bin/webscr?cmd=_notify-validate' curl: (35) Unsupported SSL protocol version A large number of PHP scripts using the Paypal API and IPN system use the '-3' flag via 'CURLOPT_SSLVERSION=>3', including the official Paypal PHP SDK. |
This task depends upon
Closed by Dave Reisner (falconindy)
Wednesday, 29 January 2014, 14:17 GMT
Reason for closing: Won't fix
Additional comments about closing: curl 7.35.0 released today, package to appear soon in [testing].
Wednesday, 29 January 2014, 14:17 GMT
Reason for closing: Won't fix
Additional comments about closing: curl 7.35.0 released today, package to appear soon in [testing].
# curl -3 'https://www.paypal.com/cgi-bin/webscr?cmd=_notify-validate'
INVALID
http://curl.haxx.se/mail/tracker-2014-01/0008.html
That patch won't apply on 7.34.0 due to some restructing of the SSL functionality. It's also a followup to the original "fix" which was committed in db11750cfa5b17a7e6ae7f64df5807e436d1a130.
Due to this bug, and some others, the release schedule for 7.35.0 (or 7.34.1) is being moved forward to the end of this month (rather than the middle of February). I'm inclined to wait it out.
> i am looking if there is a CVE attributed to this issue.
There isn't. There will be a CVE issued for a different bug (one which doesn't affect Linux).
Or even git over HTTPS?