Disclaimer: I am a front end developer. I do not understand the dark art of system administration or network security. Copy and paste from this article at your own risk.

Using the Wufoo API with MAMP

Here is the situation. My friend and coworker Patrick was trying to build some integration tools using Wufoo for a client project.

We work in local environments using MAMP because we are not cool enough to deal with Docker, containers, or whatever the hell else kids are using these days.

Patrick pasted the provided PHP from the Wufoo help docs in to a page of an existing MAMP virtual host and it did not work.

Setup

Each of us are using MacBook Pros running OSX 10.11.2 with MAMP Pro 3.5 - running PHP 7.0.0 with ports set to 80, 443, 3306.

In MAMP Pro we had a host wufoo.dev pointing to a folder that contained a single index.php with the following:

<?php
$curl = curl_init('https://fishbowl.wufoo.com/api/v3/users.xml');       //1
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);                          //2
curl_setopt($curl, CURLOPT_USERPWD, 'AOI6-LFKL-VM1Q-IEX9:footastic');   //3
curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_ANY);                     //4
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);    the
curl_setopt($curl, CURLOPT_USERAGENT, 'Wufoo Sample Code');             //5

$response = curl_exec($curl);                                           //6
$resultStatus = curl_getinfo($curl);                                    //7

if($resultStatus['http_code'] == 200) {                     //8
    echo htmlentities($response);
} else {
    echo 'Call Failed '.print_r($resultStatus);                         //9
}
?>

Visiting https://wufoo.dev/ returns Call Failed 1. :rage_emoji:

Troubleshooting

I dropped the same code in one of my favorite tools CodeRunner 2. I hit run and it returned the xml response we were expecting. Weird. So this appears to be a problem in the MAMP setup not the code that Wufoo handed us.

We hit our heads on our keyboard for a long time trying to find more error output. The log files were empty and the status from the curl_getinfo function was basically useless.

I finally found curl_error() in the PHP docs. So adding the following code:

$curlError = curl_error($curl);
echo $curlError;

returned this nugget:

error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failureArray

Yey! A real live error message that we can paste into Google and see the answer…well…hold on…maybe…not.

So no ready-made solution from Google.

The Solution

Research led to many red herrings about downloading new versions of openssl and modifying MAMPs internals. All this seemed gross, and honestly more than a couple of front end developers want to deal with. Just give us our damn JSON and we will hand you some full frontal awesomeness back! Phrasing.

The error message mentioned sslv3. This led to quite a few forum posts with deadends about setting CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER to false.

  1. This solution didn't work for us.
  2. It also felt gross to turn off things that say SSL and VERIFY.

I finally read over a piece of the PHP docs for curl_setopt that mentioned stuff about never using certain SSL versions because of known exploits and then my brain went:

Holy hello kitty Batman! The error message we have tells us the version of SSL that is being used. Maybe we can change it to something else.

So after another hour of reading I discovered that there is a version of SSL and a cipher that SSL will use. We can change both using curl_setopt. I kept changing the version and cipher until we found a winning comboniation.

The combination that worked for us with MAMP Pro + Wufoo API was:

curl_setopt($curl, CURLOPT_SSLVERSION, 1);
curl_setopt($curl, CURLOPT_SSL_CIPHER_LIST, 'TLSv1');

Parting notes

Here is a Gist of a working version of the Wufoo demo code. https://gist.github.com/brandonstephens/e6299ab345e4bdf67b88

About 3/4 of the forum posts I read, and the PHP docs, say to never ever use SSLv2 or SSLv3 because it is dangerous.

I've done my best to respond to Stackoverflow questions I could find around the same issue:

Lastly, I still don't fully understand most of this but our MAMP environment works again. If you see some obvious security issue with what I've done speak up on those Stackoverflow anwers and help a couple of front end developers out.