From f9f830e0e12665ba35ef623c9987a2a2e5fb315e Mon Sep 17 00:00:00 2001
From: Matt-Yorkley <9029026+Matt-Yorkley@users.noreply.github.com>
Date: Wed, 6 Jan 2021 15:35:20 +0000
Subject: [PATCH] Bring in Paypal certificates hack via new initializer

---
 config/initializers/paypal.rb | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 config/initializers/paypal.rb

diff --git a/config/initializers/paypal.rb b/config/initializers/paypal.rb
new file mode 100644
index 0000000000..31ec5f826a
--- /dev/null
+++ b/config/initializers/paypal.rb
@@ -0,0 +1,15 @@
+# Fixes the issue about some PayPal requests failing with
+# OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed)
+module CAFileHack
+  # This overrides paypal-sdk-core default so we don't pass the cert the gem provides to the
+  # NET::HTTP instance. This way we rely on the default behavior of validating the server's cert
+  # against the CA certs of the OS (we assume), which tend to be up to date.
+  #
+  # See https://github.com/openfoodfoundation/openfoodnetwork/issues/5855 for details.
+  def default_ca_file
+    nil
+  end
+end
+
+require 'paypal-sdk-merchant'
+PayPal::SDK::Core::Util::HTTPHelper.prepend(CAFileHack)