Torbjorn Zetterlund

Thu 23 2017
Image

WordPress EDD SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

by bernt & torsten

This article is about an error that I experience on my WordPress site while setting up Easy Digital Download with software licensing.

I wrote additional code for my WP Plugin as recommended by Easy Digital Download regarding software licensing on how to add a licenses key to my plugin and how to activate the licenses key.

Plugin_License.png

When I was doing testing to activate the plugin key, I got a curl error – curl: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

Setup Environment

A bit of my development setup, I do all my development on a MacBook, I used MAMP for localhost server setup on a MacBook.

The issue

The issue I got when testing licenses activation, was a curl error – curl: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

The problem is related to an SSL Handshake error that occurs when the OpenSSL version on the server of the site requesting the update is outdated and does not support the SSL Protocols that the store delivering the update requires.

There are two ways to set this up to resolve this issue.

The ideal solution is to have the site requesting the update verify that their OpenSSL software us up to date for their platform. OpenSSL is server software that facilitates communication over the HTTPS protocol. If this is not a possible solution, you can work with your hosting provider or server administrator to configure your web-server to accept these outdated SSL versions, but this is not ideal as it allows less secure connections to your server.

Alternatives

There are a few other things that you should also check on – it may not be the SSL, it could be one or several of the above.

curl Version

First, check your curl version – curl -V – then check if you can curl your server that manage the licenses. You can also use the EDD Software Licensing API

Check if EDD is properly installed and configured

You can also check if your software licenses site is correctly configured –

http://YOURSITE.com/?edd_action=activate_license&item_name=EDD+Product+Name&license=cc22c1ec86304b36883440e2e84cddff&url=http://licensedsite.com

SSL Support

Next check your SSL support – The server where I run the licensing software on, is setup with Ubuntu, I read that some sites disable support for SSL 3.0 (possible because of many exploits/vulnerabilities), so it’s possible to force specific SSL version by either -2/–sslv2 or -3/–sslv3. Also -L is worth a try if the requested page has moved to a different location. The possible problem could be a curl bug (found in OpenSSL), so curl needed to be upgraded to the latest version (>7.40). In my case that was not the issue

See also:

MacBook Issue

If you running your localhost on a MacBook, check your version – starting with Mavericks, Apple switched the TLS/SSL engine from OpenSSL to their own Secure Transport engine in Apple distributed cURL binary which breaks client certificate usage. Use the cURL binary from homebrew:

  • brew install curl
  • brew link curl –force

SSL Connect Error with CloudFlare

SSL connect error when using CloudFlare – This specific error with Software Licensing delivering updates is usually seen when using Cloudflare’s Flexible SSL option. This option causes a chain issue with some cURL versions that exist on the client-server requesting the update.

There are a couple of ways to fix this from the server side (without having to request the client to update their cURL version). The first is to upgrade to a paid Cloudflare SSL.

The paid tier SSL Certificates from Cloudflare typically do not pose this problem. The other solution is to purchase an SSL Certificate from a 3rd party and install it directly on your server.

Crypto_Cloudflare.png

CloudFlare Integration

CloudFlare Integration – If you are using CloudFlare as a CDN, Caching Layer, or SSL provider, we recommend you configure CloudFlare to bypass the cache for all URLs that contain the following string:

/edd-sl

This is the API endpoint for checking the license status and delivering update packages. If these endpoint URLs are cached it can cause issues with properly delivering updates to your customers.

Page_Rules_cloudflare.png

Conclusion

I used CloudFlare, so the solution for me was to go with buying a Cloudflare certificate, and I also added a page rule for not catching the edd software licensing page.

I hope this will help you if you have similar problems. If you have questions or comments, you can add below.

Share: