Paypal 要求TLSv1.2

paypal最近升级要求必须使用 TLSv1.2，按照官方的升级方法和测试，其实并不准确！

官方的升级教程：https://github.com/paypal/TLS-update#php
官方的检测工具：
https://github.com/paypal/TLS-update/blob/master/php/cacert.pem
https://github.com/paypal/TLS-update/blob/master/php/TlsCheck.php

php -f TlsCheck.php

On success:
PayPal_Connection_OK
On failure:
curl_error information

正确的检测

<?php

$url = 'https://fancyssl.hboeck.de/';

$protocols = [
    'TLS1.0' => ['protocol' => CURL_SSLVERSION_TLSv1_0, 'sec' => false],
    'TLS1.1' => ['protocol' => CURL_SSLVERSION_TLSv1_1, 'sec' => false],
    'TLS1.2' => ['protocol' => CURL_SSLVERSION_TLSv1_2, 'sec' => true],
    'TLS1.3' => ['protocol' => CURL_SSLVERSION_TLSv1_3, 'sec' => true],
];

foreach ($protocols as $name => $value) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_SSLVERSION, $value['protocol']);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

    $response = curl_exec($ch) !== false;

    if ($value['sec'] && !$response) {
        echo "Secure $name not supported =( \n";
    } elseif ($value['sec'] && $response) {
        echo "Ok! Secure $name supported \n";
    } elseif (!$value['sec'] && $response) {
        echo "Insecure $name supported =( \n";
    } elseif (!$value['sec'] && !$response) {
        echo "Ok! Insecure $name not supported\n";
    }
}

代码来源：https://stackoverflow.com/questions/49186863/php-how-to-see-if-a-server-supports-tls-1-0

升级 PHP CURL扩展

发现 7.19.7 的版本依旧是不能，但是 7.29.0 的版本是可以的。
升级仓，新起一个文件 /etc/yum.repos.d/cityfan.repo

[city-fan.org]
name=city-fan.org repository for Red Hat Enterprise Linux (and clones) $releasever ($basearch)
baseurl=http://mirror.city-fan.org/ftp/contrib/yum-repo/rhel$releasever/$basearch

mirrorlist=http://mirror.city-fan.org/ftp/contrib/yum-repo/mirrorlist-rhel$releasever
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-city-fan.org

执行yum install libcurl 升级完 php_curl 之后，不要忘了重启 php-fpm 以生效。
centos6 可以使用 service php-fpm restart ，centos7 可以用systemctl restart php-fpm
centos6 不标准安装的php-fpm 重启方式

killall php-fpm
/usr/sbin/php-fpm -y /etc/php-fpm.d/www.conf

最后打印一下配置：

[root@vs2 ~]# php -r 'echo json_encode(curl_version(), JSON_PRETTY_PRINT);'
{
    "version_number": 474112,
    "age": 4,
    "features": 3113885,
    "ssl_version_number": 0,
    "version": "7.60.0",
    "host": "x86_64-redhat-linux-gnu",
    "ssl_version": "OpenSSL\/1.0.1e",
    "libz_version": "1.2.3",
    "protocols": [
        "dict",
        "file",
        "ftp",
        "ftps",
        "gopher",
        "http",
        "https",
        "imap",
        "imaps",
        "ldap",
        "ldaps",
        "pop3",
        "pop3s",
        "rtsp",
        "scp",
        "sftp",
        "smb",
        "smbs",
        "smtp",
        "smtps",
        "telnet",
        "tftp"
    ]
[root@vs2 ~]#