Because of the recent vulnerability discovered in SSLv3, many web service providers (ie. PayPal, Facebook, Google) are disabling that and wanting us to use TLS instead. I'm having a little bit of trouble figuring out how to do this.

I'm currently using the following function to handle my cURL requests.

function CURLRequest($Request = "", $APIName = "", $APIOperation = "", $PrintHeaders = false)
{
    $curl = curl_init();
            curl_setopt($curl, CURLOPT_VERBOSE, 1);
            curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
            curl_setopt($curl, CURLOPT_TIMEOUT, 30);
            curl_setopt($curl, CURLOPT_URL, $this->EndPointURL);
            curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($curl, CURLOPT_POSTFIELDS, $Request);

    if($this->APIMode == 'Certificate')
    {
        curl_setopt($curl, CURLOPT_SSLCERT, $this->PathToCertKeyPEM);
    }

    $Response = curl_exec($curl);

    /*
     * If a cURL error occurs, output it for review.
     */
    if($this->Sandbox)
    {
        if(curl_error($curl))
        {
            echo curl_error($curl).'<br /><br />';  
        }
    }

    curl_close($curl);
    return $Response;   
}

When I try hitting PayPal's sandbox, though, where they've already disabled this, I end up with a cURL error: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

The info that I've found is that I just need to change this to use TLS instead of SSL, and the other answers I've seen say to simply do that by adding a curl option to my function...

curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);

I've added that option, though, and I still get the exact same result. Any information on how I can get this working would be greatly appreciated. Thanks!

Copied from: SSL error can not change to TLS

Try add curl_setopt($curl, CURLOPT_SSL_CIPHER_LIST, 'TLSv1'); to your code.

This will work if you cURL is OpenSSL libssl based but not if nss based.

A better solution until Paypal updates its core SDK would be to override the CURLOPT_SSL_CIPHER_LIST directly in your application. This way you don't have to interfere with the sdk-core-php package directly and you will be free to upgrade it in future.

You could add something like the following to your app's bootstrap or payment processing logic:

PPHttpConfig::$DEFAULT_CURL_OPTS[CURLOPT_SSL_CIPHER_LIST] = 'TLSv1';

Just make sure you comment it thoroughly and remember to take it out later when the issue has been patched in the core.

I just resolved updating nss library via terminal.

If the above does not help, check OPENSSL version. Its likely because of OPENSSL version <= 0.9.8. Updating to PHP7 helps, which comes with higher version of OPENSSL.