连接到Paypal时,OpenSSL :: SSL :: SSLError(SSL_connect返回= 1 errno = 0状态= SSLv3读取服务器证书B:证书validation失败)

我知道有很多关于这个错误的讨论,但很遗憾地说我无法在那里找到任何可行的解决方案。

我正在使用ShareTribe开发一个电子商务网站。我正在尝试将Paypal实现为支付网关 。所以我正在使用Activemerchant 。

在开发机器上一切正常,但是当我将rails应用程序部署到生产时它会抛出

OpenSSL :: SSL :: SSLError(SSL_connect返回= 1 errno = 0状态= SSLv3读取服务器证书B:证书validation失败)

我正在将我的Activemerchant初始化为 

config.after_initialize do ActiveMerchant::Billing::Base.mode = :test paypal_options = { login: "bla bla", password: "bla bla", signature: "bla bla", appid: "APP-80W284485P519543T" } ::EXPRESS_GATEWAY = ActiveMerchant::Billing::PaypalExpressGateway.new(paypal_options) end

添加了HTTPS和已禁用的SSLV3

经过大量的谷歌搜索,我发现了

SSLv3被certificate对POODLE漏洞不安全。 您应该确保您的系统具有最新版本的OpenSSL,以便您可以使用TLSv1.2。

所以我禁用了SSLV3,如下所示 

  openssl s_client -connect kickmarket.eu:443 CONNECTED(00000003) depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu verify error:num=27:certificate not trusted verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = www.kickmarket.eu verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=www.kickmarket.eu i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA --- Server certificate -----BEGIN CERTIFICATE----- ........................................... -----END CERTIFICATE----- subject=/OU=Domain Control Validated/OU=PositiveSSL/CN=www.kickmarket.eu issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA --- No client certificate CA names sent Server Temp Key: ECDH, prime256v1, 256 bits --- SSL handshake has read 2038 bytes and written 375 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 4D23F4A942AAD4264BE96EB5F1E62204269D882A64ACFBD2D139CD2F10A449A0 Session-ID-ctx: Master-Key: 1E381DAA3BA90FE3609606716E7E9A2EB2E2F671E9F3C4005D8EBAE009103A7AB771FB2AC8B45F169F43CBD0AD352E06 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: .................................. Start Time: 1446132175 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) ---

但重新启动nginx后,我遇到了同样的问题。有没有办法解决这个问题。 任何建议将不胜感激。

这很可能是由于升级到SHA256认证。 请查看以下文档:

https://devblog.paypal.com/paypal-ssl-certificate-changes/

主要原因是rvm安装的ruby会查找错误的目录以获取证书,而OSX-ruby会查找正确的目录。

你想做的不是使用任何预编译的ruby,而是在本地机器上编译ruby,如下所示: 

 rvm install 2.2.0 --disable-binary

您可以阅读详细说明https://toadle.me/2015/04/16/fixing-failing-ssl-verification-with-rvm.html

Interesting Posts

无法在OSX上运行带有RVM的Ruby 2.2.3

如何使Ruby AES-256-CBC和PHP MCRYPT_RIJNDAEL_128一起发挥得很好

第二部分:如何使Ruby AES-256-CBC和PHP MCRYPT_RIJNDAEL_128一起发挥得很好

证书续订后,Ruby Net :: HTTP响应OpenSSL :: SSL :: SSLError“证书validation失败”

RVM和OpenSSL的麻烦

如何使用Elliptic Curves Diffie-Hellman和JS中的SJCL以及Ruby中的OpenSSL

由于windows中的openssl / ETimedout,gem install rails无法正常工作

如何解决OpenSSL :: Cipher :: Cipher#encrypt的弃用警告

Ruby openssl文档

“SSL_connect返回= 1 errno = 0状态= SSLv3读取服务器证书B:证书validation失败”