首先感谢 http://stackoverflow.com/questions/30145089/tls-1-2-not-working-in-curl 这篇文章拯救了我的网站。
在使用国外支付插件stripe的时候遇到一个问题:
Stripe no longer supports API requests made with TLS 1.0. Please initiate HTTPS connections with TLS 1.2 or later. You can learn more about this at https://stripe.com/blog/upgrading-tls.
为了解决这个问题,给自己的网站申请了https证书,但是无济于事。从stripe的技术支持得到的解释是:
The cert you speak of concerns inbound requests. If I visit your website, as a customer, my browser (Chrome) will try to talk to your server over TLS 1.2 by default as it uses the most secure protocol first. Your server is apparently able to answer requests over TLS 1.2.
The issue we have right now is that when your server contacts Stripe's servers it negotiates TLS 1.0 by default instead of TLS 1.2. Since have depreciated requests made with TLS < 1.2 this means your requests are failing.
原来我的网站虽已加了https头并且可以显示出正在使用TLS 1.2连接,但是仅是针对处理浏览器向服务器发出的请求。而我的服务器向stripe发起curl请求时仍然使用的是TLS1.0。
按照首行网址的方法,运行命令行:yum update nss curl openssl
顺利解决。
另外,如果系统实在无法升级到支持TLS1.2的时候,stripe虽然极度不推荐但是仍然给了我们一条活路:
https://github.com/stripe/stripe-php#ssl--tls-compatibility-issues
$curl = new \Stripe\HttpClient\CurlClient(array(CURLOPT_SSLVERSION => CURL_SSLVERSION_TLSv1)); \Stripe\ApiRequestor::setHttpClient($curl);相当于强制curl使用TLS1.0连接。
另外查阅资料,openssl的版本必须在1.0.1以上才可以支持TLS1.1/TLS 1.2。我的服务器目前的是1.0.1e。stripe support的回复是
If it's not supported, you should ask your host provider to upgrade your system to properly support TLS 1.2 as this requires upgrading the operating system, curl, language libraries and/or openssl on their end.
幸运的是我的系统无需做这方面的升级,仅仅运行了 yum update nss curl openssl这句命令,再用https://support.stripe.com/questions/how-do-i-upgrade-my-stripe-integration-from-tls-1-0-to-tls-1-2这种方法测试,“TLS 1.2 supported, no action required.”这样的回应告诉我已经顺利解决了问题。不用使用备用的兼容性方法了。