DoDirectPayment API call failed. with empty error message

This is an issue I was just made aware of today.

Because of a vulnerability discovered in SSLv3 (which is the default used by pretty much all PHP web apps making web service API calls) PayPal is disabling SSLv3 on their servers.

They flipped that switch just today on the sandbox, but they have not yet made that change on the live server.

I literally just about 10 min ago got this fixed on my local development server, and I’ll probably be pushing a 1.1.5.1 update to resolve this issue before long.

If you’d like to fix it yourself before I push the update you just need to do the following:

Open the file at /paypal-for-woocommerce/classes/lib/angelleye/paypal-php-library/includes/paypal.class.php

Starting at line 600 you should see some curl_setopt() lines. Add these 2 into that group:

curl_setopt($curl, CURLOPT_SSL_CIPHER_LIST, ‘TLSv1’);
curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);

This causes the code to use TLS instead of SSL for the API calls to PayPal, and their server will accept it. Let me know if you have any troubles with that.

It works!!

Thanks for your quick reply and fix.

Hi, I installed your update and it still doesn’t work. I double-checked my API settings and they’re all correct. Help please ??

Here’s the section of code in paypal.class.php after your update:

function CURLRequest($Request = “”, $APIName = “”, $APIOperation = “”)
{
$curl = curl_init();
// curl_setopt($curl, CURLOPT_HEADER,TRUE);
curl_setopt($curl, CURLOPT_VERBOSE, 1);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($curl, CURLOPT_SSL_CIPHER_LIST, ‘TLSv1’);
curl_setopt($curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
curl_setopt($curl, CURLOPT_TIMEOUT, 30);
curl_setopt($curl, CURLOPT_URL, $this->EndPointURL);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $Request);

if($this->APIMode == ‘Certificate’)
{
curl_setopt($curl, CURLOPT_SSLCERT, $this->PathToCertKeyPEM);
}

$Response = curl_exec($curl);
curl_close($curl);
return $Response;
}

@dconsorte, I’m going to need more info than “it doesn’t work” to be able to help you. What exactly is going on?

After using the plugin for PayPal Express without any issue for almost 2 months, I started getting the error message “-” when you attempt to check out, yesterday.

I updated the plugin to incorporate the new code you indicated above, but when anyone attempts to checkout there is the same error mwkleung described.

The only difference is the email I receive says:
SetExpressCheckout API call failed.

Error Code:
Error Severity Code:
Short Error Message:
Detailed Error Message:

The log only says:
`11-06-2014 @ 13:02:09 – Response: Array
(
)

11-06-2014 @ 13:02:09 – SetExpressCheckout API call failed.
11-06-2014 @ 13:02:09 – Detailed Error Message:
11-06-2014 @ 13:02:09 – Short Error Message:
11-06-2014 @ 13:02:09 – Error Code:
11-06-2014 @ 13:02:09 – Error Severity Code: `

Any idea if there is anything else I can do on my end?

@pwwcards,

Please check what version of PHP you’re running and let me know. If you can look for the cURL version that would be good, too. You can get that info by looking at a PHP script on your server with nothing but the phpinfo() function in it.

PayPal is killing SSLv3 on their API servers because of the vulnerability with it that was discovered. Facebook, Google, and pretty much everybody is doing the same thing. As such, the plugin was updated to use TLS instead, however, that is only compatible on PHP 5.5 with cURL 7.36.0. You can find more details about that looking at the answer here.

I have been able to confirm this with a few other people who were on early versions of cURL and TLS was not working for them. Sounds like you may need to get your web host to update your PHP version for you, which would come with the new cURL version that is compatible with TLS.

I know it’s sort of a pain to deal with, but it’s a requirement as PayPal will be killing SSL on their live servers before long. They’ve already done it on their sandbox servers.

Ok, well that stinks ha ha. I was able to move to PHP 5.5 but am stuck with cURL 7.19. My host won’t upgrade at this point.

Thanks for the info!

That’s interesting. I was thinking it came with PHP 5.5, but I guess not.

You might want to circle back to them and make sure they know about the vulnerability. Lots of web services are going to be disabling SSLv3, which seems to be the default used by most PHP/cURL installs, and you’re going to run into lots of problems before too much longer if they won’t update for you.

If they still refuse, I’d seriously consider migrating to a new host. I’m curious, who is your current host?

I told their agent the information you provided to me regarding the move away from SSLv3. I use hostgator.

Interesting. I’m on HostGator myself. Are you using a shared account or a dedicated account of some sort? I’m on a VPS account, but it was already updated so I didn’t have to do anything with it.

Shared account.

I guess they’ll have to change their tune with all the people on those shared servers start complaining that 3rd party web services aren’t working with their website.

@angelleye

The error message is blank, just as PWWcards described above:

DoDirectPayment API call failed.
Error Code:
Detailed Error Message:

My site is on a shared server. I am on curl 7.19.7 – looking at above, am I correct to assume that my issue is I need my host to upgrade curl to 7.36.0?

PHP Version 5.3.3

cURL support enabled
cURL Information 7.19.7
Age 3
Features
AsynchDNS No
Debug No
GSS-Negotiate Yes
IDN Yes
IPv6 Yes
Largefile Yes
NTLM Yes
SPNEGO No
SSL Yes
SSPI No
krb4 No
libz Yes
CharConv No
Protocols tftp, ftp, telnet, dict, ldap, ldaps, http, file, https, ftps, scp, sftp
Host x86_64-redhat-linux-gnu
SSL Version NSS/3.15.3
ZLib Version 1.2.3
libSSH Version libssh2/1.4.2

I got my host to upgrade curl – Paypal Express checkout is now working. However dodirectpayment is still not working. A new thing I noticed is that the credit card fields are no longer on my checkout form. But, they are now visible on this page:

https://www.steampunkgoggles.com/wp-admin/admin.php?page=wc-settings&tab=checkout&section=wc_gateway_paypal_pro_angelleye

At the bottom of the page, just below “Log PayPal events inside woocommerce/logs/paypal-pro.txt” I see the credit card fields and a snippet of code that looks something like below:

enabled==”yes”) : if ( $this->testmode == “no” && get_option(‘woocommerce_force_ssl_checkout’)==’no’ && !class_exists( ‘WordPressHTTPS’ ) ) return false; // Currency check if ( ! in_array( get_woocommerce_currency(), apply_filters( ‘woocommerce_paypal_pro_allowed_currencies’, array( ‘AUD’, ‘CAD’, ‘CZK’, ‘DKK’, ‘EUR’, ‘HUF’, ‘JPY’, ‘NOK’, ‘NZD’, ‘PLN’, ‘GBP’, ‘SGD’, ‘SEK’, ‘CHF’, ‘USD’ ) ) ) ) return false; // Required fields check if (!$this->api_username || !$this->api_password || !$this->api_signature) return false; return isset($this->avaiable_card_types[WC()->countries->get_base_country()]); endif; return false; } /** * Payment form on checkout page */ function payment_fields() { $available_cards = $this->avaiable_card_types[WC()->countries->get_base_country()]; ?>
Pay with your credit card

Credit Card number *

Card type *

Expiration date *

Card security code *

the last 4 items above are the actual form fields, that are now appearing in admin.

@dconsorte,

That looks like you’re running into another issue now that has already been fixed in my development repo. It has to do with a PHP short tag being used but your server doesn’t have short tags enabled.

You could either ask your host to enable PHP short tags, or you can download the development repo and upload that. That always includes the latest official release plus any new features/improvements that have been completed and fully tested, but not yet officially released.

It includes a fix for the short tag issue, so it would go away. It’s completely ready to go if you just want to do that, or again, you could ask your host to enable PHP short tags for you. Either way should resolve what you’re seeing there.