Working on a client's server today (I develop a self-hosted app that uses the Stripe SDK for payments), Stripe's SDK failed with the error: Unexpected error communicating with Stripe. If this problem persists, let us know at [email protected]. (Network error [errno 35]: Unsupported SSL protocol version)

They contacted Stripe and they were told to run this code, which outputted "TLS 1.2" correctly. So TLS 1.2 is supported properly.

The client was running Stripe 3.20.0 (3.21 only adds the Source stuff so it wouldn't have changed anything), so this is an issue with the latest code. After digging into it a bit, I figured out that the problem lay with these lines. This server has CURL_SSLVERSION_TLSv1_2 defined (PHP 5.6), and OpenSSL is current enough to pass that if, so the code was running $opts[CURLOPT_SSLVERSION] = CURL_SSLVERSION_TLSv1_2;, which for some reason causes the problem, because changing it to CURL_SSLVERSION_TLSv1 makes the problem go away. Somehow, explicitly requiring 1.2 is a problem while just asking for any TLS is fine. Removing all the lines linked to above (i.e. not setting CURLOPT_SSLVERSION at all) also resolves the problem. It's also worth noting that PHP's docs themselves recommend not setting CURLOPT_SSLVERSION at all (http://php.net/manual/en/function.curl-setopt.php "Note: Your best bet is to not set this and let it use the default."). So it could be that the best thing to do is to just remove it.

This is not a Stripe-specific issue because in the TLS-checking gist linked above, if I add the line curl_setopt($c, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);, it makes it fail. So it's just something with curl itself on this particular server configuration. But since Stripe does depend on it working correctly, I thought it might be useful to report this, just in case you want to debug and find a workaround for it to make sure others don't have this problem.

I have FTP access to the server and the client's permission to work on debugging this issue so I'm happy to look at whatever is needed and provide whatever information is required.

If this issue doesn't seem worthwhile to you, that's fine, since it's not something affecting a lot of people. I just wanted to make sure someone was aware of it, just in case.