Magento CURLOPT_SSL_VERIFYHOST error with SagePay

A handful of Magento clients on Magento support plans have had this issue: SagePay misbehaving on their checkout (or one page checkout) pages and producing a CURLOPT_SSL_VERIFYHOST error from their Magento store.

Luckily, it’s fixed in SagePaySuite’s latest version, so if you can, just update the module in Magento Connect Manager!


The cause of the bug is the use of an incorrect parameter related to SSL (security certificates) on your server. Essentially, the old, “broken”, code is telling the server to simply check the “common name” of the server exists, whereas the fix (below) asks the server to check that “common name” matches the actual “hostname” of the server the website is on. Simply, SagePay have chosen to discontinue support for CURLOPT_SSL_VERIFYHOST set to 1 or True as it’s much less secure, and this has affected your Magento store if it relies on the SagePay payment gateway.

The bug is explained reasonably well in a related bug in WordPress here.

The error that pops up is similar to that below – your browser’s native JavaScript ‘alert’ dialogue displaying an error message along the lines of:

The page at says:

An error occured with Sage Pay: Gateway request error: Notice: curl_setopt() [<a href=”‘function.curl-setopt’>function.curl-setopt</a>]: CURLOPT_SSL_VERIFYHOST with value 1 is deprecated and will be removed as of libcurl 7.28.1. It is recommended to use value 2 instead in /home/yourhostingaccountname­/public_html/app/code/­local/Ebizmarts/SagePaySuite/Model/­Api/Payment.php on line 1169

SagePay CURLOPT_SSL_VERIFYHOST error in Magento

Error message in Chrome (Mac) produced by SagePay CURLOPT_SSL_VERIFYHOST error in Magento

A quick fix for the CURLOPT_SSL_VERIFYHOST error

Here’s a quick remedy to the CURLOPT_SSL_VERIFYHOST issue in Magento (I’m sure it’s fixed in the most recent version of Ebizmarts’ SagePaySuite module but haven’t had time to verify this as of yet). If you re-read the error message, you’ll see the fix is essentially given in the

  1. Locate the file named in the error message in your Magento installation – in our case, it was /app/code/local/Ebizmarts/SagePaySuite/Model/Api/Payment.php – and open it in your preferred text editor. Create a backup copy of it too, just in case you need to restore it.
  2. Locate the line in the file causing the problem; again, ours was line 1169, which looked like this:curl_setopt($curlSession, CURLOPT_SSL_VERIFYHOST, 1);
  3. Change the parameter from ‘1’ to ‘2’; on line 1169, which should now read luike this:
    curl_setopt($curlSession, CURLOPT_SSL_VERIFYHOST, 2);
  4. Upload this file over the existing Payment.php file.
  5. You may need to clear Magento’s caches for this change to take effect.
  6. That’s it: the CURLOPT_SSL_VERIFYHOST error with SagePay in your Magento store should now be resolved!

Why do I say “quick fix” above? Simply because the change will be overwritten when you come to update the module (you could try doing this in Magento Connect Manager anyway as a longer-term fix!).

2 Responses to “Magento CURLOPT_SSL_VERIFYHOST error with SagePay”

Comments are closed.