On November 15th Stripe deprecated SSLv3 because of the POODLE vulnerability. On the whole, this has been a good and welcome change, because SSLv3 has been terrible for a very long time.
The problem is that on some systems this causes backend API requests to start failing with an error message from Stripe because they're unable to auto-negotiate TLSv1.2.
Here are three ways to help fix this:
This is the cleanest solution. Upgrade your Ruby to 2.1.4, 2.0.0-p594, or 1.9.3-p550. In those versions, SSLv3 is disabled, which forces auto-negotiation to pick TLSv1.2.
You can also try upgrading your
rest-client gem to the latest version in your
gem 'rest-client', '>= 1.7.2'
This has worked for some people but it depends on your situation. You might already be running the latest, in which case carry on to the next option.
Also, if you're using the
rest_client gem (notice the underscore instead of dash), be aware that this re-enables SSLv3. See this commit from late October 2014.
At the bottom of the link in #1 there's a monkeypatch you can apply that changes OpenSSL to remove SSLv3.
If you can't or won't upgrade your Ruby and changing OpenSSL is too scary, you're left with the option of monkeypatching Stripe's library directly. Drop this code in an initializer:
module Stripe def self.execute_request(opts) RestClient::Request.execute(opts.merge(ssl_version: :TLSv1)) end end
This is basically the solution that was proposed to Stripe but they rejected it because when new versions of TLS come out it'll break. So, don't be surprised when it breaks two years down the line, but for now it works.
Of these three options, if you can go with the first one please do. It's the cleanest and least brittle solution.
Get a free five part email course all about Stripe and Rails, including the first three chapters of Mastering Modern Payments.No spam. Unsubscribe at any time.