So my script (IPN listeners, API calls, etc) was working fine but suddenly started throwing an error about being unable to verify the SSL certificate. This is my error (PHP CURL shown)

SSL connect error

Why did it stop working?

Last year, PCI-DSS 3.1 came out and there was a major change for all people processing credit cards. Specifically, there was a mandate that all processing had to be done on TLS 1.1 or later only. The original sunset date was June 30, 2016, but that was postponed to June 30, 2018

The Payment Card Industry Security Standards Council (PCI SSC) is extending the migration completion date to 30 June 2018 for transitioning from SSL and TLS 1.0 to a secure version of TLS (currently v1.1 or higher).

Now, while this reprieve gives you, the programmer, some room to breathe in regards to your front end, it still means that moving to TLS 1.1+ is not optional (in fact I would mover sooner if I were you) and that some intermediate card processing will start moving sooner than that. PayPal, as it turns out, is one of those moving in regards to its websites

TLS 1.2 Upgrade

The most secure protocol for sharing information on the web today is Transport Layer Security (TLS) version 1.2. PayPal is enabling support for TLS 1.2 for all secure connections and in 2016 will start requiring its use. You will need to verify that your environment supports TLS 1.2 and if necessary make appropriate updates. PayPal is updating its services to require TLS v1.2 for all HTTPS connections on June 17, 2016. After that date, all TLS v1.0 and TLS v1.1 API connections will be refused.

Now, in theory, your old script (provided you're not storing PayPal's public key) should operate just fine but Sandbox (which has already moved to this) communications are already starting to fail. What I've found is that, for a variety of reasons, some communication layers (notably CURL in PHP, a very common way to talk to PayPal) cannot negotiate properly with PayPal anymore. Thus, you get the cryptic error

SSL connect error

Thanks CURL. That was helpful... (not)

So how do we work around this? Well, if we tell CURL to only use TLS 1.2 your calls to PayPal should start working again without issues. If you're using PHP and CURL you can do it by adding this like (where $ch is your CURL handler)

curl_setopt($ch, CURLOPT_SSLVERSION, 6); // Force TLS 1.2

This change is perfectly safe to use with both Sandbox and Live calls to PayPal.